800-53|AC-6(3)

Title

NETWORK ACCESS TO PRIVILEGED COMMANDS

Description

The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system.

Supplemental

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-17

Category: ACCESS CONTROL

Parent Title: LEAST PRIVILEGE

Family: ACCESS CONTROL

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.4.16 Set 'Allow Remote Shell Access' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
2.2 Ensure access to sensitive site features is restricted to authenticated principals only	Windows	CIS IIS 8.0 v1.5.1 Level 1
2.2 Ensure Access to Sensitive Site Features Is Restricted To Authenticated Principals Only - Applications	Windows	CIS IIS 7 L1 v1.8.0
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL + NG
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 11 v2.0.0 L1 + NG
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL + NG
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL
2.3.10.4 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Intune for Windows 10 v2.0.0 L1 + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + NG
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
2.3.10.10 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) - Administrators: Remote Access: Allow	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)	Windows	CIS Windows Server 2012 MS L1 v3.0.0
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)	Windows	CIS Windows Server 2012 R2 MS L1 v3.0.0
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) - Administrators: Remote Access: Allow	Windows	CIS Microsoft Windows Server 2019 MS L1 v2.0.0
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) - Administrators: Remote Access: Allow	Windows	CIS Microsoft Windows Server 2019 MS Standalone L1 v1.0.0
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) - Administrators: Remote Access: Allow	Windows	CIS Microsoft Windows Server 2022 v2.0.0 L1 MS
2.3.10.11 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only) - Administrators: Remote Access: Allow	Windows	CIS Microsoft Windows Server 2016 MS L1 v2.0.0
5.5 Ensure root login is restricted to system console	Unix	CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
5.5 Ensure root login is restricted to system console	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
5.5 Ensure root login is restricted to system console	Unix	CIS SUSE Linux Enterprise Server 11 L1 v2.1.1
5.5 Ensure root login is restricted to system console	Unix	CIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
5.6 Ensure root login is restricted to system console	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
5.6 Ensure root login is restricted to system console	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
6.10 Restrict root Login to System Console - Check if 'CONSOLE' in /etc/default/login is set to /dev/console.	Unix	CIS Solaris 10 L1 v5.2
6.14 Restrict root Login to System Console - CONSOLE = /dev/console	Unix	CIS Solaris 11.1 L1 v1.0.0
6.14 Restrict root Login to System Console - CONSOLE = /dev/console	Unix	CIS Solaris 11.2 L1 v1.1.0
6.14 Restrict root Login to System Console - CONSOLE = /dev/console	Unix	CIS Solaris 11 L1 v1.1.0
10.2 Restrict access to the web administration	Unix	CIS Apache Tomcat 7 L2 v1.1.0
10.2 Restrict access to the web administration	Unix	CIS Apache Tomcat 7 L2 v1.1.0 Middleware
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.3.1 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.7.2 Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 2 v3.2.0
18.9.98.1 Ensure 'Allow Remote Shell Access' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0

Detections

Analytics