800-53|IA-5(6)

Title

PROTECTION OF AUTHENTICATORS

Description

The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access.

Supplemental

For information systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: AUTHENTICATOR MANAGEMENT

Family: IDENTIFICATION AND AUTHENTICATION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.2.1.27 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.2.1.27 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.53 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.2.1.53 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'	Windows	CIS Windows 2003 DC v3.1.0
1.1.3.11.1 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.11.11 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows 8 L1 v1.0.0
1.6.1 Enable Hidden Passwords '/etc/passwd'	Unix	CIS HP-UX 11i v1.5
1.6.1 Enable Hidden Passwords '/etc/shadow'	Unix	CIS HP-UX 11i v1.5
1.9.46 Network security: Do not store LAN Manager hash value on next password change	Windows	CIS Windows 2008 SSLF v1.2.0
1.9.46 Network security: Do not store LAN Manager hash value on next password change	Windows	CIS Windows 2008 Enterprise v1.2.0
1.9.47 Network security: LAN Manager authentication level	Windows	CIS Windows 2008 Enterprise v1.2.0
1.9.47 Network security: LAN Manager authentication level	Windows	CIS Windows 2008 SSLF v1.2.0
2.3.11.3 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
2.3.11.3 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows Server 2012 MS L1 v2.1.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.1.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows Server 2012 DC L1 v2.1.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
2.3.11.5 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.1.0
2.3.11.5 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.1.0
2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.1.0
2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows Server 2012 DC L1 v2.1.0
2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
2.3.11.7 Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'	Windows	CIS Windows Server 2012 MS L1 v2.1.0
2.11.2 - Permissions and Ownership - '/etc/group root:security 644'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
2.11.3 - Permissions and Ownership - '/etc/passwd root:security 644'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
12.1 Verify Permissions on /etc/passwd	Unix	CIS Debian Linux 7 L1 v1.0.0
12.1 Verify Permissions on /etc/passwd	Unix	CIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.2 Verify Permissions on /etc/shadow	Unix	CIS Debian Linux 7 L1 v1.0.0
12.2 Verify Permissions on /etc/shadow	Unix	CIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.3 Verify Permissions on /etc/group	Unix	CIS Debian Linux 7 L1 v1.0.0
12.3 Verify Permissions on /etc/group	Unix	CIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.4 Verify User/Group Ownership on /etc/passwd	Unix	CIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
12.4 Verify User/Group Ownership on /etc/passwd	Unix	CIS Debian Linux 7 L1 v1.0.0
12.5 Verify User/Group Ownership on /etc/shadow	Unix	CIS Debian Linux 7 L1 v1.0.0
12.6 Verify User/Group Ownership on /etc/group	Unix	CIS Debian Linux 7 L1 v1.0.0
12.6 Verify User/Group Ownership on /etc/group	Unix	CIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
18.10.55.2 (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1

Detections

Analytics