Detections
Analytics

CSCv7|12.4

Title

Deny Communication over Unauthorized Ports

Description

Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries.

Reference Item Details

Category: Boundary Defense

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.4.4.2 Enable listening ports range is set as appropriate for organizationZoomCIS Zoom L2 v1.0.0
1.3.10 Ensure 'Password Profiles' do not existPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
2.1 Ensure 'Protect RE' Firewall Filter is set for inbound traffic to the Routing EngineJuniperCIS Juniper OS Benchmark v2.1.0 L1
3.2 Configure a Default Drop/Cleanup RuleCheckPointCIS Check Point Firewall L2 v1.1.0
3.6 Ensure That SSH Access Is Restricted From the InternetGCPCIS Google Cloud Platform v2.0.0 L2
3.7 Ensure That RDP Access Is Restricted From the InternetGCPCIS Google Cloud Platform v2.0.0 L2
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly AccessibleGCPCIS Google Cloud Platform v2.0.0 L1
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
5.3 Ensure no security groups allow ingress from ::/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 2.0.0
5.3 Ensure port lockdown for self IP is setF5CIS F5 Networks v1.0.0 L1
6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L1
6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.4 Ensure port groups are not configured to the value of the native VLANVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
7.4 Ensure port groups are not configured to the value of the native VLANVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switchesVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2016 STIG MS L2 v1.1.0
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2019 STIG MS L2 v1.0.1
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL + NG
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + NG
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + BL
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 v2.0.0 L1 + NG
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL + NG
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + NG
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L1
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Windows Server 2012 R2 MS L2 v3.0.0
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Windows Server 2012 MS L2 v3.0.0
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2016 MS L2 v2.0.0
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2019 MS L2 v2.0.0
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2022 v2.0.0 L2 MS