800-53|CA-9

Title

INTERNAL SYSTEM CONNECTIONS

Description

The organization:

Supplemental

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

Reference Item Details

Related: AC-18,AC-19,AC-3,AC-4,AU-12,AU-2,CA-7,CM-2,IA-3,SC-7,SI-4

Category: SECURITY ASSESSMENT AND AUTHORIZATION

Family: SECURITY ASSESSMENT AND AUTHORIZATION

Priority: P2

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3 Set 'no exec' for 'line aux 0'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.3 Set 'no exec' for 'line aux 0'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.6.3 Create network segmentation using Network PoliciesUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L2
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.3 Ensure NFS and RPC are not enabled - nfs-serverUnixCIS Google Container-Optimized OS L1 Server v1.0.0
2.1.3 Ensure NFS and RPC are not enabled - rpcbindUnixCIS Google Container-Optimized OS L1 Server v1.0.0
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.4 Ensure rsync service is not enabledUnixCIS Google Container-Optimized OS L1 Server v1.0.0
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.8 Set 'no service pad'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.8 Set 'no service pad'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.7 v1.2.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.0
2.3.10.6 Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
2.3.10.7 Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
2.3.10.7 Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.0
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'CiscoCIS Cisco IOS 16 L2 v1.1.2
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'CiscoCIS Cisco IOS 17 L2 v1.0.0
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'CiscoCIS Cisco IOS 16 L2 v1.1.2
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'CiscoCIS Cisco IOS 17 L2 v1.0.0
2.4.4 Set 'ip tftp source-interface' to the Loopback InterfaceCiscoCIS Cisco IOS 16 L2 v1.1.2
2.4.4 Set 'ip tftp source-interface' to the Loopback InterfaceCiscoCIS Cisco IOS 17 L2 v1.0.0
3.1.1 Set 'no ip source-route'CiscoCIS Cisco IOS 17 L1 v1.0.0
3.1.1 Set 'no ip source-route'CiscoCIS Cisco IOS 16 L1 v1.1.2
18.9.35.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.35.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
20.30 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG MS STIG v1.0.1
20.30 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG DC STIG v1.0.1
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG MS STIG v1.1.0
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG DC STIG v1.1.0