Detections
Analytics

CSCv6|9.2

Title

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.16 Set 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.16 Set 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.24 Set 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' to '300000 or 5 minutes (recommended)'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.24 Set 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' to '300000 or 5 minutes (recommended)'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.41 Set 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' to '3'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.41 Set 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' to '3'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.56 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.56 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.57 Set MSS(PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' to 'Disabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.57 Set MSS(PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' to 'Disabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.58 Set 'MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.58 Set 'MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.81 Set 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' to 'Disabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.81 Set 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' to 'Disabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.84 Set 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' to 'Disabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.84 Set 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' to 'Disabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.2.35 Set 'Audit Policy: System: Other System Events' to 'No Auditing'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.7 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.8 Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.10 Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.11 Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.16 Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.5 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.7 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.11 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.1 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.2 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.3 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.5 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.1 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.2 Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.3 Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.10 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Ensure 'ENABLE_TCPWRAPPERS' is set to 'YES' in /etc/default/inetdUnixCIS Solaris 9 v1.3
1.2.1.1 Configure 'Set IP Stateless Autoconfiguration Limits State'WindowsCIS Windows 8 L1 v1.0.0
1.2.1.1.1.1.13 Configure 'Windows Firewall: Protect all network connections'WindowsCIS Windows 2003 DC v3.1.0
1.2.1.1.1.1.13 Configure 'Windows Firewall: Protect all network connections'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.10 Configure 'Windows Firewall: Protect all network connections'WindowsCIS Windows 2003 MS v3.1.0
1.2.1.1.1.2.10 Configure 'Windows Firewall: Protect all network connections'WindowsCIS Windows 2003 DC v3.1.0
1.3 Enable TCP Wrappers and a host based firewall (firewall_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (ipfw_load)UnixCIS FreeBSD v1.0.5
1.4 Ensure that the Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
1.4.13.10 Enable firewall protectionUnixCIS Apple OSX 10.6 Snow Leopard L1 v1.0.0