CSCv6|9.2

Title

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Description

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Reference Item Details

Category: Limitation and Control of Network Ports

Family: System

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2.35 Set 'Audit Policy: System: Other System Events' to 'No Auditing'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.5 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.7 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.8 Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.10 Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.11 Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.15 Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.16 Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.4 Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.5 Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.7 Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.1.11 Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.1 Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.2 Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.3 Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.5 Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.2.7 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.1 Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.2 Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.3 Set 'Windows Firewall: Public: Apply local connection security rules' to 'No'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.10 Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)'WindowsCIS Windows 8 L1 v1.0.0
1.1.5.3.11 Set 'Inbound Connections' to 'Enabled:Block (default)'WindowsCIS Windows 8 L1 v1.0.0
1.2 Install TCP Wrappers - Ensure 'ENABLE_TCPWRAPPERS' is set to 'YES' in /etc/default/inetdUnixCIS Solaris 9 v1.3
1.2.1.1 Configure 'Set IP Stateless Autoconfiguration Limits State'WindowsCIS Windows 8 L1 v1.0.0
1.3 Enable TCP Wrappers and a host based firewall (firewall_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_enable)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (inetd_flags)UnixCIS FreeBSD v1.0.5
1.3 Enable TCP Wrappers and a host based firewall (ipfw_load)UnixCIS FreeBSD v1.0.5
1.4 Ensure that the Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 5.1 v1.0.1 Level 1
2.1 Configure TCP Wrappers - inetadmUnixCIS Oracle Solaris 11.4 L1 v1.0.0
2.1 Configure TCP Wrappers - rpc/bindUnixCIS Oracle Solaris 11.4 L1 v1.0.0
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
17.9.2 Ensure 'Audit Other System Events' is set to 'Success and Failure'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.4.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.4.5 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.4.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.4.6 Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'WindowsCIS Windows 7 Workstation Level 2 v3.2.0
18.4.8 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 2 v3.2.0
18.4.8 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 v3.2.0
18.4.11 Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.4.12 Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'WindowsCIS Windows 7 Workstation Level 2 v3.2.0
18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')WindowsCIS Windows 7 Workstation Level 2 v3.2.0
18.5.19.2.1 Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0