800-53|IA-2(11)

Title

REMOTE ACCESS - SEPARATE DEVICE

Description

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.8.8 Ensure users must authenticate users using MFA via a graphical user logonUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed - escUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.4.9 Ensure multifactor authentication for access to privileged accounts - PAM.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.10 Ensure certificate status checking for PKI authenticationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-003200 - The AIX operating system must use Multi Factor AuthenticationUnixDISA STIG AIX 7.x v2r8
AOSX-14-003025 - The macOS system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - ChallengeResponseAuthenticationUnixDISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - enforceSmartCardUnixDISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - PasswordAuthenticationUnixDISA STIG Apple Mac OSX 10.15 v1r10
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
F5BI-LT-000193 - A BIG-IP Core implementation providing user authentication intermediary services must be configured to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.F5DISA F5 BIG-IP Local Traffic Manager 11.x STIG v2r1
F5BI-LT-000195 - The BIG-IP Core implementation providing user authentication intermediary services must be configured to require multifactor authentication for remote access with privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access.F5DISA F5 BIG-IP Local Traffic Manager 11.x STIG v2r1
OL07-00-010061 - The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.UnixDISA Oracle Linux 7 STIG v2r12
OL07-00-041001 - The Oracle Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Oracle Linux 7 STIG v2r12
OL07-00-041002 - The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM) - PAM.UnixDISA Oracle Linux 7 STIG v2r12
OL07-00-041003 - The Oracle Linux operating system must implement certificate status checking for PKI authentication.UnixDISA Oracle Linux 7 STIG v2r12
OL08-00-010390 - OL 8 must have the package required for multifactor authentication installed.UnixDISA Oracle Linux 8 STIG v1r7
OL08-00-010400 - OL 8 must implement certificate status checking for multifactor authentication.UnixDISA Oracle Linux 8 STIG v1r7
RHEL-07-010061 - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.UnixDISA Red Hat Enterprise Linux 7 STIG v3r12
RHEL-07-041001 - The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Red Hat Enterprise Linux 7 STIG v3r12
RHEL-07-041002 - The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA Red Hat Enterprise Linux 7 STIG v3r12
RHEL-07-041003 - The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.UnixDISA Red Hat Enterprise Linux 7 STIG v3r12
RHEL-08-010390 - RHEL 8 must have the packages required for multifactor authentication installed.UnixDISA Red Hat Enterprise Linux 8 STIG v1r11
RHEL-08-010400 - RHEL 8 must implement certificate status checking for multifactor authentication.UnixDISA Red Hat Enterprise Linux 8 STIG v1r11
SLES-12-030500 - The SUSE operating system must have the packages required for multifactor authentication to be installed.UnixDISA SLES 12 STIG v2r11
SLES-12-030510 - The SUSE operating system must implement certificate status checking for multifactor authentication.UnixDISA SLES 12 STIG v2r11
SLES-12-030520 - The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA SLES 12 STIG v2r11
SLES-15-010460 - The SUSE operating system must have the packages required for multifactor authentication to be installedUnixDISA SLES 15 STIG v1r10
SLES-15-010470 - The SUSE operating system must implement certificate status checking for multifactor authentication - which includes status information to an accepted trust anchor.UnixDISA SLES 15 STIG v1r10
SLES-15-020030 - The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA SLES 15 STIG v1r10
SYMP-AG-000350 - Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.BlueCoatDISA Symantec ProxySG Benchmark ALG v1r3
SYMP-AG-000360 - Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.BlueCoatDISA Symantec ProxySG Benchmark ALG v1r3
UBTU-16-030800 - The Ubuntu operating system must have the packages required for multifactor authentication to be installed.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-16-030820 - The Ubuntu operating system must implement certificate status checking for multifactor authentication.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-16-030840 - The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010431 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Ubuntu 18.04 LTS v2r11
UBTU-20-010063 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Ubuntu 20.04 LTS v1r7
UBTU-20-010063 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Ubuntu 20.04 LTS v1r9
WN12-PK-000008-DC - Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.WindowsDISA Windows Server 2012 and 2012 R2 DC STIG v3r6
WN22-DC-000310 - Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.WindowsDISA Windows Server 2022 STIG v1r3