800-53|SC-11

Title

TRUSTED PATH

Description

The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].

Supplemental

Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-16,AC-25

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P0

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.4 Set 'External send connector authentication: DNS Routing' to 'True'	Windows	CIS Microsoft Exchange Server 2016 Edge v1.0.0
1.4 Set 'External send connector authentication: DNS Routing' to 'True'	Windows	CIS Microsoft Exchange Server 2013 Edge v1.1.0
2.2.8 Ensure 'External send connector authentication: DNS routing' is set to 'True'	Windows	CIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
CD12-00-010100 - PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.	PostgreSQLDB	DISA STIG Crunchy Data PostgreSQL DB v3r1
EPAS-00-008800 - The EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.	PostgreSQLDB	EnterpriseDB PostgreSQL Advanced Server DB v2r1
PHTN-40-000133 - The Photon operating system must require users to reauthenticate for privilege escalation.	Unix	DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - Listen Port	Windows	Oracle WebLogic Server 12c Windows v2r2
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - Listen Port	Unix	Oracle WebLogic Server 12c Linux v2r2
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - Listen Port	Unix	Oracle WebLogic Server 12c Linux v2r2 Middleware
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - SSL Listen Port	Unix	Oracle WebLogic Server 12c Linux v2r2
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - SSL Listen Port	Windows	Oracle WebLogic Server 12c Windows v2r2
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - SSL Listen Port	Unix	Oracle WebLogic Server 12c Linux v2r2 Middleware
WN25-CC-000340 - Windows Server 2025 must not save passwords in the Remote Desktop Client.	Windows	DISA Microsoft Windows Server 2025 STIG v1r1
WN25-CC-000360 - Windows Server 2025 Remote Desktop Services must always prompt a client for passwords upon connection.	Windows	DISA Microsoft Windows Server 2025 STIG v1r1
WN25-CC-000520 - Windows Server 2025 Windows Remote Management (WinRM) service must not store RunAs credentials.	Windows	DISA Microsoft Windows Server 2025 STIG v1r1
WN25-SO-000380 - Windows Server 2025 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.	Windows	DISA Microsoft Windows Server 2025 STIG v1r1
WN25-SO-000410 - Windows Server 2025 User Account Control (UAC) must automatically deny standard user requests for elevation.	Windows	DISA Microsoft Windows Server 2025 STIG v1r1
WN25-SO-000440 - Windows Server 2025 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.	Windows	DISA Microsoft Windows Server 2025 STIG v1r1
WPAW-00-001700 - The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.	Windows	DISA Microsoft Windows PAW STIG v3r2

Detections

Analytics