800-53|AC-6(3)

Title

NETWORK ACCESS TO PRIVILEGED COMMANDS

Description

The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.

Supplemental

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

Reference Item Details

Related: AC-17

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4.16 Set 'Allow Remote Shell Access' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - ApplicationsWindowsCIS IIS 8.0 v1.5.0 Level 1
2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - ApplicationsWindowsCIS IIS 7 L1 v1.8.0
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Stand-alone v1.12.0 L1 + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Stand-alone v1.0.1 L1 + BL
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 11 Stand-alone v1.0.0 L1 + BL
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Stand-alone v1.0.1 L1
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Stand-alone v1.0.1 L1 + BL + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 11 Stand-alone v1.0.0 L1 + BL + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 11 Stand-alone v1.0.0 L1 + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'WindowsCIS Microsoft Windows 11 Stand-alone v1.0.0 L1
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)WindowsCIS Windows Server 2012 MS L1 v2.4.0
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)WindowsCIS Microsoft Windows Server 2016 MS L1 v1.4.0
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)WindowsCIS Windows Server 2012 R2 MS L1 v2.6.0
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) - Administrators: Remote Access: AllowWindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
5.5 Ensure root login is restricted to system consoleUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
5.5 Ensure root login is restricted to system consoleUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.5 Ensure root login is restricted to system consoleUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.5 Ensure root login is restricted to system consoleUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
5.6 Ensure root login is restricted to system consoleUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
5.6 Ensure root login is restricted to system consoleUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
6.10 Restrict root Login to System Console - Check if 'CONSOLE' in /etc/default/login is set to /dev/console.UnixCIS Solaris 10 L1 v5.2
6.14 Restrict root Login to System Console - CONSOLE = /dev/consoleUnixCIS Solaris 11.1 L1 v1.0.0
6.14 Restrict root Login to System Console - CONSOLE = /dev/consoleUnixCIS Solaris 11.2 L1 v1.1.0
6.14 Restrict root Login to System Console - CONSOLE = /dev/consoleUnixCIS Solaris 11 L1 v1.1.0
7.11 Restrict root logins to system console,UnixCIS Solaris 9 v1.3
9.1 Check for Remote ConsolesUnixCIS Solaris 11 L1 v1.1.0
9.1 Check for Remote ConsolesUnixCIS Solaris 11.2 L1 v1.1.0
9.1 Check for Remote ConsolesUnixCIS Solaris 11.1 L1 v1.0.0
9.1 Check for Remote Consoles using 'consadm' command line utilityUnixCIS Solaris 10 L1 v5.2
9.4 Restrict root Login to System ConsoleUnixCIS Debian Linux 7 L1 v1.0.0
9.4 Restrict root Login to System Console - ReviewUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
10.2 Restrict access to the web administrationUnixCIS Apache Tomcat 7 L2 v1.1.0
10.2 Restrict access to the web administrationUnixCIS Apache Tomcat 7 L2 v1.1.0 Middleware
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 2 v3.2.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
Adtran : Enable aaa authenticationAdtranTNS Adtran AOS Best Practice Audit
Apply UAC restrictions to local accounts on network logonWindowsMSCT Windows Server 2012 R2 MS v1.0.0
Apply UAC restrictions to local accounts on network logonWindowsMSCT Windows Server 2016 MS v1.0.0
Apply UAC restrictions to local accounts on network logonWindowsMSCT Windows 10 v1507 v1.0.0
Apply UAC restrictions to local accounts on network logonWindowsMSCT Windows 10 1803 v1.0.0
Apply UAC restrictions to local accounts on network logonsWindowsMSCT Windows 10 v21H1 v1.0.0