Detections
Analytics

800-53|SC-7(5)

Title

DENY BY DEFAULT / ALLOW BY EXCEPTION

Description

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Reference Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: BOUNDARY PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.9 Verifying Telnet Server is DisabledArubaOSCIS HPE Aruba Networking CX Switch v1.0.1 L1
1.1.9 Verifying Telnet Server is DisabledArubaOSCIS HPE Aruba Networking CX Switch v1.0.1 Optional Security Recommendations
1.2 Install TCP Wrappers - Allow localhost. Note: Replace 172.16.100.0/255.255.255.0 with a network block in use at your organization.UnixCIS Solaris 9 v1.3
1.2.3 Set 'no exec' for 'line aux 0'CiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.2.3 SSH Server Port CustomizationArubaOSCIS HPE Aruba Networking CX Switch v1.0.1 Optional Security Recommendations
1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2019 OS v1.0.0
1.3 Ensure specific whitelisted IP addresses, IP address ranges, and/or domains are setWindowsCIS Microsoft SharePoint 2016 OS v1.1.0
1.3.1 Disable CDPCiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.3.2 Disable TCP and UDP small serversCiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.5.1 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.5.2 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.5.3 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.8.1.1 SFTP and SCPArubaOSCIS HPE Aruba Networking CX Switch v1.0.1 L1
1.8.1.1 SFTP and SCPArubaOSCIS HPE Aruba Networking CX Switch v1.0.1 Optional Security Recommendations
1.9.1 https-server default enablementArubaOSCIS HPE Aruba Networking CX Switch v1.0.1 Optional Security Recommendations
1.9.1 https-server default enablementArubaOSCIS HPE Aruba Networking CX Switch v1.0.1 L1
1.14 CISC-RT-000240CiscoCIS Cisco NX OS Switch RTR STIG v1.0.0 CAT I
1.17 CISC-RT-000240CiscoCIS Cisco IOS XR Router RTR STIG v1.0.0 CAT I
1.18 CISC-RT-000240CiscoCIS Cisco IOS XE Switch RTR STIG v1.1.0 CAT I
1.18 CISC-RT-000240CiscoCIS Cisco IOS XE Router RTR STIG v1.1.0 CAT I
1.423 RHEL-10-800220UnixCIS Red Hat Enterprise Linux 10 STIG v1.0.0 CAT II
2.1 Configure TCP WrappersUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2019 v1.5.2 L1 AWS RDS
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2025 v1.0.0 L1 Database Engine MS_SQLDB
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 AWS RDS v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 DB v1.3.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2022 v1.2.1 L1 Database Engine
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2025 v1.0.0 L1 AWS RDS MS_SQLDB
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 AWS RDS v1.4.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 DB v1.4.0
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2022 v1.2.1 L1 AWS RDS
2.1 Ensure 'Ad Hoc Distributed Queries' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2019 v1.5.2 L1 Database Engine
2.1.1 Ensure 'extproc' Is Not EnabledUnixCIS Oracle Database 19c v2.0.0 L1 RDBMS On Host OS Unix
2.1.1 Ensure 'extproc' Is Not EnabledWindowsCIS Oracle Database 19c v2.0.0 L1 RDBMS On Host OS Windows
2.1.1 Ensure 'extproc' Is Not Present In 'listener.ora'WindowsCIS Oracle Database 23ai v1.1.0 L1 RDBMS On Windows Server Host OS Windows
2.1.1 Ensure 'extproc' Is Not Present In 'listener.ora'UnixCIS Oracle Database 23ai v1.1.0 L1 RDBMS On Linux Host OS Unix
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.1.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.1.1 Ensure Firewall Is EnabledUnixCIS Apple macOS 15.0 Sequoia Cloud-tailored v1.0.0 L1
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'WindowsCIS Oracle Server 18c Windows v1.1.0
10.1 Ensure Unused Features are RemovedUnixCIS IBM WebSphere Liberty v1.0.0 L1
10.2 SN.2 Remove Support for Internet Services (inetd)UnixCIS Oracle Solaris 11.4 L2 v1.1.0