CSCv6|16.9

Title

Configure access for all accounts through a centralized point of authentication, for example Active Directory or LDAP.

Description

Configure access for all accounts through a centralized point of authentication, for example Active Directory or LDAP. Configure network and security devices for centralized authentication as well.

Reference Item Details

Reference: CIS Critical Security Controls v6

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.11.12 Set 'Network Security: Allow PKU2U authentication requeststo this computer to use online identities' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.1.4 Set 'login authentication for 'line tty'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.2.3.2.4 Set 'Do not enumerate connected users on domain-joined computers' to 'Enabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.3.2.6 Set 'Enumerate local users on domain-joined computers' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Auth Provider	Windows	CIS Microsoft SharePoint 2016 OS v1.1.0
1.4 Ensure that the underlying Internet Information Services (IIS) Authentication module is set to use Kerberos as its Authentication Provider	Windows	CIS Microsoft SharePoint 2019 OS v1.0.0
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
2.3.11.3 Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'	MS_SQLDB	CIS SQL Server 2008 R2 DB Engine L1 v1.7.0
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'	MS_SQLDB	CIS SQL Server 2012 Database L1 DB v1.6.0
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode'	MS_SQLDB	CIS SQL Server 2012 Database L1 AWS RDS v1.6.0
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' - Windows Authentication mode	MS_SQLDB	CIS SQL Server 2014 Database L1 AWS RDS v1.5.0
3.1 Ensure 'Server Authentication' Property is set to 'Windows Authentication Mode' - Windows Authentication mode	MS_SQLDB	CIS SQL Server 2014 Database L1 DB v1.5.0
4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm	Windows	CIS Microsoft SharePoint 2016 OS v1.1.0
4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2019 farm	Windows	CIS Microsoft SharePoint 2019 OS v1.0.0
4.3 Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol	Windows	CIS Microsoft SharePoint 2019 OS v1.0.0
4.3 Ensure Windows Authentication uses Kerberos and not the NT Lan Manager (NTLM) authentication protocol	Windows	CIS Microsoft SharePoint 2016 OS v1.1.0
6.2.2 Ensure no legacy '+' entries exist in /etc/passwd	Unix	CIS Amazon Linux v2.1.0 L1
6.2.2 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
6.2.2 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
6.2.2 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
6.2.2 Ensure no legacy "+" entries exist in /etc/passwd	Unix	CIS Distribution Independent Linux Workstation L1 v2.0.0
6.2.2 Ensure no legacy "+" entries exist in /etc/passwd	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
6.2.3 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS Red Hat 6 Workstation L1 v3.0.0
6.2.3 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS CentOS 6 Workstation L1 v3.0.0
6.2.3 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS CentOS 6 Server L1 v3.0.0
6.2.3 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS Oracle Linux 6 Server L1 v2.0.0
6.2.3 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS Red Hat 6 Server L1 v3.0.0
6.2.3 Ensure no legacy '+' entries exist in /etc/passwd - + entries exist in /etc/passwd	Unix	CIS Oracle Linux 6 Workstation L1 v2.0.0
6.2.3 Ensure no legacy '+' entries exist in /etc/shadow	Unix	CIS Amazon Linux v2.1.0 L1
6.2.3 Ensure no legacy '+' entries exist in /etc/shadow	Unix	CIS Debian 8 Workstation L1 v2.0.2
6.2.3 Ensure no legacy '+' entries exist in /etc/shadow	Unix	CIS Debian 8 Server L1 v2.0.2
6.2.3 Ensure no legacy "+" entries exist in /etc/shadow	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
6.2.3 Ensure no legacy "+" entries exist in /etc/shadow	Unix	CIS Distribution Independent Linux Workstation L1 v2.0.0
6.2.4 Ensure no legacy '+' entries exist in /etc/group	Unix	CIS Amazon Linux v2.1.0 L1
6.2.4 Ensure no legacy '+' entries exist in /etc/group	Unix	CIS Debian 8 Server L1 v2.0.2
6.2.4 Ensure no legacy "+" entries exist in /etc/group	Unix	CIS Distribution Independent Linux Server L1 v2.0.0
6.2.4 Ensure no legacy "+" entries exist in /etc/group	Unix	CIS Distribution Independent Linux Workstation L1 v2.0.0
6.2.20 Ensure shadow group is empty	Unix	CIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
6.2.20 Ensure shadow group is empty	Unix	CIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
18.2.3 Ensure 'Enable Local Admin Password Management' is set to 'Enabled'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.28.2 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.28.3 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker

Detections

Analytics

CSCv6|16.9

Title

Description

Reference Item Details

Audit Items