CSCv6|9.2

Title

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2.35 Set 'Audit Policy: System: Other System Events' to 'No Auditing'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.7 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.8 Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.10 Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.11 Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.16 Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.5 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.7 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.11 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.1 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.2 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.3 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.5 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.1 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.2 Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.3 Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.10 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2.1.1 Configure 'Set IP Stateless Autoconfiguration Limits State'WindowsCIS Windows 8 L1 v1.0.0
1.3 Enable TCP Wrappers and a host based firewall (firewall_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (ipfw_load)UnixCIS FreeBSD v1.0.5
2.1 Enable Secure Admin Access - 'ssh.access has been configured'NetAppTNS NetApp Data ONTAP 7G
2.4 Configure TCP Wrappers - enable tcp_wrappers for rpc/bind. Note: This check is recommended by CIS, but not required.UnixCIS Solaris 10 L1 v5.2
2.6.3 Enable FirewallUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
2.6.3 Enable FirewallUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
2.6.4 Enable Firewall Stealth ModeUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
2.6.4 Enable Firewall Stealth ModeUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
2.6.5 Review Application Firewall RulesUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
2.6.5 Review Application Firewall RulesUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
2.8 Protocol Access Controls - 'httpd.access has been configured'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.cifs has been configured'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.cifs is not blank'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.ftpd has been configured'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.ftpd is not blank'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.iscsi has been configured'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.iscsi is not blank'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.mgmt_data_traffic = on'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.ndmp has been configured'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.ndmp is not blank'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.nfs has been configured'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.nfs is not blank'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.snapmirror has been configured'NetAppTNS NetApp Data ONTAP 7G
2.8 Protocol Access Controls - 'interface.blocked.snapmirror is not blank'NetAppTNS NetApp Data ONTAP 7G
2.10.1 - TCP Wrappers - installing TCP Wrappers - 'netsec.options.idprotocol is installed'UnixCIS AIX 5.3/6.1 L2 v1.1.0