800-53|AC-17(3)

Title

MANAGED ACCESS CONTROL POINTS

Description

The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.

Supplemental

Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.

Reference Item Details

Related: SC-7

Category: ACCESS CONTROL

Parent Title: REMOTE ACCESS

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.5 Set 'access-class' for 'line vty'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.4.2 Ensure all the login accounts having specific trusted hosts enabledFortiGateCIS Fortigate Level 1 v1.0.0
4.6.1 Create administrative boundaries between resources using namespacesGCPCIS Google Kubernetes Engine (GKE) v1.3.0 L1
6.2 Ensure that operating system resource limits are set for MongoDBUnixCIS MongoDB 3.6 L2 Unix Audit v1.1.0
6.2 Ensure that operating system resource limits are set for MongoDBWindowsCIS MongoDB 3.6 L2 Windows Audit v1.1.0
Big Sur - Managed Access Control PointsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Managed Access Control PointsUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Managed Access Control PointsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Catalina - Managed Access Control PointsUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Managed Access Control PointsUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Managed Access Control PointsUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG for Red Hat Enterprise Linux 5 v1r18 Audit
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG for Oracle Linux 5 v2r1
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG AIX 6.1 v1r14
GEN005504 - The SSH daemon must only listen on management network addresses unless authorized for uses other than management.UnixDISA STIG AIX 5.3 v1r2
Monterey - Managed Access Control PointsUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Managed Access Control PointsUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Managed Access Control PointsUnixNIST macOS Monterey v1.0.0 - All Profiles
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.UnixDISA IBM WebSphere Traditional 9 STIG v1r1 Middleware
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.UnixDISA IBM WebSphere Traditional 9 STIG v1r1
WBSP-AS-000140 - The WebSphere Application Server bus security must be enabled.WindowsDISA IBM WebSphere Traditional 9 Windows STIG v1r1