800-53|SC-7(5)

Title

DENY BY DEFAULT / ALLOW BY EXCEPTION

Description

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.255.255.0 with a network block in use at your organization.UnixCIS Solaris 9 v1.3
1.2 Install TCP Wrappers - Deny access to this server from all networksUnixCIS Solaris 9 v1.3
1.2.3 Set 'no exec' for 'line aux 0'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.2.3 Set 'no exec' for 'line aux 0'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v2.0.0
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v2.0.0
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 12 L1 v4.0.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 DB v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 AWS RDS v1.4.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 DB v1.4.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 AWS RDS v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2019 Database L1 DB v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2022 Database L1 AWS RDS v1.0.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2019 Database L1 AWS RDS v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2022 Database L1 DB v1.0.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'WindowsCIS Oracle Server 19c Windows v1.1.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'UnixCIS Oracle Server 19c Linux v1.1.0
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'UnixCIS Oracle Server 18c Linux v1.1.0
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'WindowsCIS Oracle Server 18c Windows v1.1.0
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 16 L1 v2.0.0
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 17 L1 v2.0.0
2.1.3 Ensure NFS and RPC are not enabled - nfs-serverUnixCIS Google Container-Optimized OS L1 Server v1.1.0
2.1.3 Ensure NFS and RPC are not enabled - rpcbindUnixCIS Google Container-Optimized OS L1 Server v1.1.0
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 16 L1 v2.0.0
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 17 L1 v2.0.0
2.1.4 Ensure rsync service is not enabledUnixCIS Google Container-Optimized OS L1 Server v1.1.0
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 17 L1 v2.0.0
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 16 L1 v2.0.0
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 17 L1 v2.0.0
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 16 L1 v2.0.0
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 16 L1 v2.0.0
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 17 L1 v2.0.0
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 16 L1 v2.0.0
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 17 L1 v2.0.0
2.1.7 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
2.1.8 Set 'no service pad'CiscoCIS Cisco IOS 16 L1 v2.0.0