Detections
Analytics

800-53|SC-7(5)

Title

DENY BY DEFAULT / ALLOW BY EXCEPTION

Description

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.255.255.0 with a network block in use at your organization.UnixCIS Solaris 9 v1.3
1.2 Install TCP Wrappers - Deny access to this server from all networksUnixCIS Solaris 9 v1.3
1.2.1.1.1.1.4 Configure 'Windows Firewall: Allow local program exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.4 Configure 'Windows Firewall: Allow local program exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.9 Configure 'Windows Firewall: Define inbound program exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.9 Configure 'Windows Firewall: Define inbound program exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.10 Configure 'Windows Firewall: Allow local port exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.1.10 Configure 'Windows Firewall: Allow local port exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.12 Configure 'Windows Firewall: Do not allow exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.12 Configure 'Windows Firewall: Do not allow exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.2 Configure 'Windows Firewall: Do not allow exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.2 Configure 'Windows Firewall: Do not allow exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.3 Configure 'Windows Firewall: Allow local program exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.3 Configure 'Windows Firewall: Allow local program exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.4 Configure 'Windows Firewall: Allow local port exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.2.4 Configure 'Windows Firewall: Allow local port exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.12 Configure 'Windows Firewall: Define inbound program exceptions'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.12 Configure 'Windows Firewall: Define inbound program exceptions'WindowsCIS Windows 2003 DC v3.1.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 15 L1 v4.0.1
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 16 L1 v1.1.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.3.1 Disable CDPCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.3.2 Disable TCP and UDP small serversCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.1 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.2 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.3 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.0.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 16 L1 v1.1.0
1.5.15 Windows Firewall: Inbound connections (Domain)WindowsCIS Windows 2008 Enterprise v1.2.0
1.5.15 Windows Firewall: Inbound connections (Domain)WindowsCIS Windows 2008 SSLF v1.2.0
1.5.16 Windows Firewall: Inbound connections (Private)WindowsCIS Windows 2008 Enterprise v1.2.0
1.5.16 Windows Firewall: Inbound connections (Private)WindowsCIS Windows 2008 SSLF v1.2.0
1.5.17 Windows Firewall: Inbound connections (Public)WindowsCIS Windows 2008 SSLF v1.2.0
1.5.17 Windows Firewall: Inbound connections (Public)WindowsCIS Windows 2008 Enterprise v1.2.0
2.1 Configure TCP WrappersUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 AWS RDS v1.4.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 DB v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2022 Database L1 AWS RDS v1.1.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 AWS RDS v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2019 Database L1 DB v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2022 Database L1 DB v1.1.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 DB v1.4.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2019 Database L1 AWS RDS v1.3.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'UnixCIS Oracle Server 19c Linux v1.2.0
10.2 SN.2 Remove Support for Internet Services (inetd)UnixCIS Oracle Solaris 11.4 L2 v1.1.0