CSCv6|16.14

Title

Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges.

Description

Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.

Reference Item Details

Reference: CIS Critical Security Controls v6

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1 Ensure 'Logon Password' is set	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.1.1 Ensure 'Logon Password' is set	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.0.0
1.1.1 Ensure 'Logon Password' is set	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.1.7 Set 'Store passwords using reversible encryption' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.2 Ensure 'Enable Password' is set	Cisco	CIS Cisco Firewall v8.x L1 v4.2.0
1.1.2 Ensure 'Enable Password' is set	Cisco	CIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.2 Ensure 'Enable Password' is set	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.0.0
1.1.2 Ensure that the --basic-auth-file argument is not set	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.2 Ensure that the --basic-auth-file argument is not set	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.2 Ensure that the --basic-auth-file argument is not set	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.3 Ensure that the --basic-auth-file argument is not set	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.3.10.11 Configure 'Network access: Do not allow storage of passwords and credentials for network authentication'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.11.1 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.11.15 Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.14.1 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'	Windows	CIS Windows 8 L1 v1.0.0
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
1.1.19 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.20 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.20 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.21 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.2.4.5.4 Set 'Always prompt for password upon connection' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 2 v3.3.0
2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 2 v3.3.0
2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher	Windows	CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher	Windows	CIS Windows 7 Workstation Level 2 v3.2.0
2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher	Windows	CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
2.6 Ensure transport layer security for 'basic authentication' is configured	Windows	CIS IIS 7 L1 v1.8.0
2.7 Ensure 'passwordFormat' is not set to clear - Applications	Windows	CIS IIS 7 L1 v1.8.0
2.7 Ensure 'passwordFormat' is not set to clear - Default	Windows	CIS IIS 7 L1 v1.8.0
2.8 Ensure 'credentials' are not stored in configuration files - Applications	Windows	CIS IIS 7 L2 v1.8.0
18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.3.7 Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.59.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.59.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.9.59.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.65.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.0
18.9.65.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.0

Detections

Analytics

CSCv6|16.14

Title

Description

Reference Item Details

Audit Items