800-53|AC-17(3)

Title

MANAGED ACCESS CONTROL POINTS

Description

The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

Supplemental

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-7

Category: ACCESS CONTROL

Parent Title: REMOTE ACCESS

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.2.5 Set 'access-class' for 'line vty'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.5 Set 'access-class' for 'line vty'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.2.5 Set 'access-class' for 'line vty'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.5.5 Set the ACL for each 'snmp-server community'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.5.5 Set the ACL for each 'snmp-server community'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.5.7 Set 'snmp-server host' when using SNMP	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.5.7 Set 'snmp-server host' when using SNMP	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.5.8 Set 'snmp-server enable traps snmp'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.5.8 Set 'snmp-server enable traps snmp'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
2.4.2 Ensure all the login accounts having specific trusted hosts enabled	FortiGate	CIS Fortigate 7.0.x Level 1 v1.2.0
5.2.1 Minimize the admission of privileged containers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.5 Minimize the admission of containers with allowPrivilegeEscalation	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.6 Minimize the admission of root containers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L2
6.2 Ensure that operating system resource limits are set for MongoDB	Windows	CIS MongoDB 3.6 L2 Windows Audit v1.1.0
6.2 Ensure that operating system resource limits are set for MongoDB	Unix	CIS MongoDB 3.6 L2 Unix Audit v1.1.0
Big Sur - Managed Access Control Points	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Managed Access Control Points	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Managed Access Control Points	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Catalina - Managed Access Control Points	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Managed Access Control Points	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Managed Access Control Points	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.	Unix	DISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.	Unix	DISA STIG for Oracle Linux 5 v2r1
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.	Unix	DISA STIG AIX 6.1 v1r14
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.	Unix	DISA STIG AIX 5.3 v1r2
Monterey - Managed Access Control Points	Unix	NIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Managed Access Control Points	Unix	NIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Managed Access Control Points	Unix	NIST macOS Monterey v1.0.0 - All Profiles
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.	Unix	DISA IBM WebSphere Traditional 9 STIG v1r1
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.	Windows	DISA IBM WebSphere Traditional 9 Windows STIG v1r1
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.	Unix	DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware

Detections

Analytics