800-53|IA-2(1)

Title

NETWORK ACCESS TO PRIVILEGED ACCOUNTS

Description

The information system implements multifactor authentication for network access to privileged accounts.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Ensure multifactor authentication is enabled for all users in administrative rolesmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.1.2 Ensure multifactor authentication is enabled for all users in all rolesmicrosoft_azureCIS Microsoft 365 Foundations E3 L2 v1.4.0
1.1.3 Configure AAA Authentication - Local SSH keysCiscoCIS Cisco NX-OS L1 v1.0.0
1.1.3.8.1 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.6 Enable Conditional Access policies to block legacy authenticationmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.1.8 Enable Azure AD Identity Protection sign-in risk policiesmicrosoft_azureCIS Microsoft 365 Foundations E5 L2 v1.4.0
1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users.microsoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.1.16 Ensure the option to stay signed in is disabledmicrosoft_azureCIS Microsoft 365 Foundations E3 L2 v1.4.0
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2 Ensure modern authentication for Exchange Online is enabledmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - List Usersmicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L2
1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - Role Assignmentsmicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L2
1.2 Ensure that multi-factor authentication is enabled for all non-privileged users - Role Definitionsmicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L2
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.15 Set 'Require additional authentication at startup' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Authentication ProfilePalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.34 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.2.35 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.3 Ensure modern authentication for Skype for Business Online is enabledmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.4 Ensure modern authentication for SharePoint applications is requiredmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'microsoft_azureCIS Microsoft Azure Foundations v1.3.1 L2
1.4.3 Configure SNMPv3 - engineIDCiscoCIS Cisco NX-OS L2 v1.0.0
1.4.3 Configure SNMPv3 - engineIDCiscoCIS Cisco NX-OS L1 v1.0.0
1.4.3 Configure SNMPv3 - group v3CiscoCIS Cisco NX-OS L2 v1.0.0
1.4.3 Configure SNMPv3 - group v3CiscoCIS Cisco NX-OS L1 v1.0.0
1.5 Ensure that 'Number of methods required to reset' is set to '2'microsoft_azureCIS Microsoft Azure Foundations v1.3.1 L1
1.5.1 Ensure 'V3' is selected for SNMP pollingPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 16 L2 v1.1.2
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 16 L2 v1.1.2
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L2 + BL + NG