CSCv6|9.2

Title

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2.35 Set 'Audit Policy: System: Other System Events' to 'No Auditing'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.7 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.8 Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.10 Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.11 Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.16 Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.5 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.7 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.11 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.1 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.2 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.3 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.5 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.1 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.2 Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.3 Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.10 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Ensure 'ENABLE_TCPWRAPPERS' is set to 'YES' in /etc/default/inetdUnixCIS Solaris 9 v1.3
1.2.1.1 Configure 'Set IP Stateless Autoconfiguration Limits State'WindowsCIS Windows 8 L1 v1.0.0
1.3 Enable TCP Wrappers and a host based firewall (firewall_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (ipfw_load)UnixCIS FreeBSD v1.0.5
1.4 Ensure that the Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 MS L1 v2.2.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 DC L1 v2.2.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.3.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 R2 DC L1 v2.5.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows Server 2012 R2 MS L1 v2.5.0
18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 v3.2.0
18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 v3.2.0