Detections
Analytics

800-53|IA-3

Title

DEVICE IDENTIFICATION AND AUTHENTICATION

Description

The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

Supplemental

Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.

Reference Item Details

Related: AC-17,AC-18,AC-19,CA-3,IA-4,IA-5

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.36 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.36 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.42 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.42 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.43 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.43 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.44 Configure 'Domain controller: LDAP server signing requirements'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.50 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.50 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.51 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.51 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.61 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.61 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.69 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.69 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.76 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.76 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.3.11.3 Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.27 Disable AutomountingUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.1.28 Disable USB Storage - /bin/trueUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.1.28 Disable USB Storage - blacklistUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.4.2.2.27 Set 'Allow Secure Boot for integrity validation' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.4.14.4 Secure SMBUnixCIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.8.18 Ensure graphical user interface automounter is disabled - automountUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.8.18 Ensure graphical user interface automounter is disabled - automount-openUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.8.18 Ensure graphical user interface automounter is disabled - automount-open=falseUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.8.18 Ensure graphical user interface automounter is disabled - automount=falseUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.8.18 Ensure graphical user interface automounter is disabled - autorun-neverUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.8.18 Ensure graphical user interface automounter is disabled - autorun-never=trueUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco Firewall ASA 8 L1 v4.1.0
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco Firewall ASA 9 L1 v4.0.0
1.9.1.2 Ensure 'NTP authentication key' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.9.1.2 Ensure 'NTP authentication key' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.0.0
1.9.1.2 Ensure 'NTP authentication key' is configured correctlyCiscoCIS Cisco Firewall ASA 8 L1 v4.1.0
1.9.12 Domain member: Digitally encrypt or sign secure channel data (always)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.12 Domain member: Digitally encrypt or sign secure channel data (always)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.13 Domain member: Digitally encrypt secure channel data (when possible)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.13 Domain member: Digitally encrypt secure channel data (when possible)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.14 Domain member: Digitally sign secure channel data (when possible)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.14 Domain member: Digitally sign secure channel data (when possible)WindowsCIS Windows 2008 SSLF v1.2.0
1.9.17 Domain member: Require strong (Windows 2000 or later) session keyWindowsCIS Windows 2008 Enterprise v1.2.0
1.9.17 Domain member: Require strong (Windows 2000 or later) session keyWindowsCIS Windows 2008 SSLF v1.2.0
1.9.19 Domain controller: LDAP server signing requirementsWindowsCIS Windows 2008 Enterprise v1.2.0
1.9.19 Domain controller: LDAP server signing requirements - Domain ControllerWindowsCIS Windows 2008 SSLF v1.2.0
1.9.19 Domain controller: LDAP server signing requirements - Member ServerWindowsCIS Windows 2008 SSLF v1.2.0
1.9.30 Microsoft network client: Digitally sign communications (always)WindowsCIS Windows 2008 Enterprise v1.2.0
1.9.30 Microsoft network client: Digitally sign communications (always)WindowsCIS Windows 2008 SSLF v1.2.0
1.11 Ensure Web Tier ELB is using HTTPS listeneramazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0
1.14 Ensure App Tier ELB is using HTTPS listeneramazon_awsCIS Amazon Web Services Three-tier Web Architecture L2 1.0.0