CSCv6|16.11

Title

Require multi-factor authentication for all user accounts that have access to sensitive data or systems.

Description

Require multi-factor authentication for all user accounts that have access to sensitive data or systems. Multi-factor authentication can be achieved using smart cards, certificates, One Time Password (OTP) tokens, or biometrics.

Reference Item Details

Reference: CIS Critical Security Controls v6

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.1.16 Set 'Require use of smart cards on fixed data drives' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.16 Set 'Allow BitLocker without a compatible TPM' to 'False'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.18 Set 'Configure TPM startup PIN:' to 'Require startup PIN with TPM'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.19 Set 'Configure TPM startup:' to 'Do not allow TPM'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.20 Set 'Configure TPM startup key:' to 'Do not allow startup key with TPM'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.3.15 Set 'Configure use of smart cards on removable data drives' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.2.3.16 Set 'Require use of smart cards on removable data drives' to 'True'	Windows	CIS Windows 8 L1 v1.0.0
18.9.11.1.11 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.1.11 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.1.11 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.1.12 Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.13 Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.13 Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.13 Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'	Windows	CIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.2.19 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.2.19 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup:' is set to 'Enabled: Do not allow TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.2.20 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.2.20 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.2.21 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.2.21 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.2.22 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.11.2.22 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
18.9.11.3.11 Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0

Detections

Analytics

CSCv6|16.11

Title

Description

Reference Item Details

Audit Items