800-53|IA-2(1)

Title

NETWORK ACCESS TO PRIVILEGED ACCOUNTS

Description

The information system implements multifactor authentication for network access to privileged accounts.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Usersmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.1.3 Configure AAA Authentication - Local SSH keysCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - List Usersmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - Role Assignmentsmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users - Role Definitionsmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L2
1.1.3.8.1 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabledmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service AccountsGCPCIS Google Cloud Platform v2.0.0 L1
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 17 L1 v2.0.0
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 16 L1 v2.0.0
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groupsmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Usersmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.15 Set 'Require additional authentication at startup' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-insmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Authentication ProfilePalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.6 Ensure Multi-factor Authentication is Required for Azure Managementmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.3 Ensure that Security Key Enforcement is Enabled for All Admin AccountsGCPCIS Google Cloud Platform v2.0.0 L2
1.4.3 Configure SNMPv3 - engineIDCiscoCIS Cisco NX-OS L2 v1.0.0
1.4.3 Configure SNMPv3 - engineIDCiscoCIS Cisco NX-OS L1 v1.0.0
1.4.3 Configure SNMPv3 - group v3CiscoCIS Cisco NX-OS L2 v1.0.0
1.4.3 Configure SNMPv3 - group v3CiscoCIS Cisco NX-OS L1 v1.0.0
1.5 Ensure MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
1.5.1 Ensure 'V3' is selected for SNMP pollingPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 16 L2 v2.0.0
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 17 L2 v2.0.0
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 17 L2 v2.0.0
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 12 L2 v4.0.0
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 16 L2 v2.0.0
1.6 Ensure hardware MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations L2 2.0.0
1.6 Ensure That 'Number of methods required to reset' is set to '2'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console passwordamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - EnabledWindowsCIS Microsoft Windows Server 2019 DC L1 v2.0.0
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - EnabledWindowsCIS Microsoft Windows Server 2022 v2.0.0 L1 MS
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - EnabledWindowsCIS Microsoft Windows Server 2019 MS L1 v2.0.0
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - EnabledWindowsCIS Microsoft Windows Server 2022 v2.0.0 L1 DC
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - EnabledWindowsCIS Microsoft Windows Server 2016 DC L1 v2.0.0
18.10.15.5 Ensure 'Enable OneSettings Auditing' is set to 'Enabled' - EnabledWindowsCIS Microsoft Windows Server 2016 MS L1 v2.0.0