800-53|SC-7(5)

Title

DENY BY DEFAULT / ALLOW BY EXCEPTION

Description

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.255.255.0 with a network block in use at your organization.UnixCIS Solaris 9 v1.3
1.2 Install TCP Wrappers - Deny access to this server from all networksUnixCIS Solaris 9 v1.3
1.2.3 Set 'no exec' for 'line aux 0'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.3 Set 'no exec' for 'line aux 0'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 12 L1 v4.0.0
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.3 Ensure NFS and RPC are not enabled - nfs-serverUnixCIS Google Container-Optimized OS L1 Server v1.0.0
2.1.3 Ensure NFS and RPC are not enabled - rpcbindUnixCIS Google Container-Optimized OS L1 Server v1.0.0
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.4 Ensure rsync service is not enabledUnixCIS Google Container-Optimized OS L1 Server v1.0.0
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.1.7 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
2.1.8 Ensure that the --make-iptables-util-chains argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
2.1.8 Set 'no service pad'CiscoCIS Cisco IOS 17 L1 v1.0.0
2.1.8 Set 'no service pad'CiscoCIS Cisco IOS 16 L1 v1.1.2
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostUnixCIS VMware ESXi 6.7 v1.2.0 Level 1 Bare Metal
2.2 Ensure the ESXi host firewall is configured to restrict access to services running on the hostVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
2.4 Configure TCP Wrappers - Allow localhost.UnixCIS Solaris 10 L1 v5.2
2.10.2 - TCP Wrappers - creating a hosts.deny file - configuration - 'hosts.deny file contains ALL:ALL'UnixCIS AIX 5.3/6.1 L1 v1.1.0
2.10.3 - TCP Wrappers - creating a hosts.allow file - configuration - 'hosts.allow has been configured'UnixCIS AIX 5.3/6.1 L1 v1.1.0
2.11 Configure TCP Wrappers - hosts.allowUnixCIS Solaris 11.1 L1 v1.0.0
2.11 Configure TCP Wrappers - hosts.allowUnixCIS Solaris 11.2 L1 v1.1.0
2.11 Configure TCP Wrappers - hosts.denyUnixCIS Solaris 11.2 L1 v1.1.0
2.11 Configure TCP Wrappers - hosts.denyUnixCIS Solaris 11.1 L1 v1.0.0
2.12 Configure TCP Wrappers - hosts.allowUnixCIS Solaris 11 L1 v1.1.0
2.12 Configure TCP Wrappers - hosts.denyUnixCIS Solaris 11 L1 v1.1.0