800-53|AC-18

Title

WIRELESS ACCESS

Description

The organization:

Supplemental

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

Reference Item Details

Related: AC-17,AC-19,AC-2,AC-3,CA-3,CA-7,CM-8,IA-2,IA-3,IA-8,PL-4,SI-4

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Ensure intra-zone traffic is not always allowedFortiGateCIS Fortigate Level 1 v1.0.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.2.5 Ensure valid certificate is set for browser-based administrator interfacePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Authentication ProfilePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L2
1.3.1 Ensure 'Control use of the Web Bluetooth API' is set to 'Enabled: Do not allow any site to request access to Bluetooth'WindowsCIS Microsoft Edge L2 v1.0.1
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout TimePalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout TimePalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11RegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11RegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrarWindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrarsWindowsCIS Microsoft Windows 8.1 v2.4.0 L2
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrarsWindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrarWindowsCIS Windows Server 2012 MS L2 v2.2.0
18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrarWindowsCIS Windows Server 2012 DC L2 v2.2.0
18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrarWindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L2 + BL
18.5.20.1 Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrarWindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L2 + BL + NG