800-53|IA-2(9)

Title

NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT

Description

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Supplemental

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.

Reference Item Details

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - lssrc sshdUnixDISA STIG AIX 7.x v2r6
AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - openssh.base.serverUnixDISA STIG AIX 7.x v2r6
AOSX-13-000570 - The macOS system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.UnixDISA STIG Apple Mac OSX 10.13 v2r5
APPL-11-000011 - The macOS system must disable the SSHD service.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-000011 - The macOS system must disable the SSHD service.UnixDISA STIG Apple macOS 11 v1r6
APPL-12-000011 - The macOS system must disable the SSHD service.UnixDISA STIG Apple macOS 12 v1r3
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Disable SSH Server for Remote Access SessionsUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Disable SSH Server for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enable SSH for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - All Profiles
EDGE-00-000062 - The built-in DNS client must be disabled.WindowsDISA STIG Edge v1r5
ESXI-06-300037 - The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using Active Directory for local user authentication.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-06-300038 - The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by using the vSphere Authentication Proxy.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-06-300039 - The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts by restricting use of Active Directory ESX Admin group membership.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-67-000037 - The ESXi host must use Active Directory for local user authentication.VMwareDISA STIG VMware vSphere 6.7 ESXi v1r2
ESXI-67-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.VMwareDISA STIG VMware vSphere 6.7 ESXi v1r2
ESXI-67-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.VMwareDISA STIG VMware vSphere 6.7 ESXi v1r2
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - 800-171
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - All Profiles
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - 800-53r5 Low
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - 800-53r4 High
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - 800-53r4 Low
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
Monterey - Enable SSH Server for Remote Access SessionsUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate
PHTN-67-000068 - The Photon operating system must use OpenSSH for remote maintenance sessions.UnixDISA STIG VMware vSphere 6.7 Photon OS v1r3
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - filtersUnixDISA STIG Solaris 11 X86 v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - filtersUnixDISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - firewall/pflogUnixDISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - serviceUnixDISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - serviceUnixDISA STIG Solaris 11 X86 v2r6
SYMP-AG-000380 - Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.BlueCoatDISA Symantec ProxySG Benchmark ALG v1r3
UBTU-16-030200 - The Ubuntu operating system must enforce SSHv2 for network access to all accounts.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010412 - The Ubuntu operating system must enforce SSHv2 for network access to all accounts.UnixDISA STIG Ubuntu 18.04 LTS v2r8