CSCv7|12.4

Title

Deny Communication over Unauthorized Ports

Description

Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries.

Reference Item Details

Category: Boundary Defense

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.4.4.2 Enable listening ports range is set as appropriate for organizationZoomCIS Zoom L2 v1.0.0
1.3.10 Ensure 'Password Profiles' do not existPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
2.1 Ensure 'Protect RE' Firewall Filter is set for inbound traffic to the Routing EngineJuniperCIS Juniper OS Benchmark v2.1.0 L1
3.2 Configure a Default Drop/Cleanup RuleCheckPointCIS Check Point Firewall L2 v1.1.0
3.6 Ensure That SSH Access Is Restricted From the InternetGCPCIS Google Cloud Platform v3.0.0 L2
3.6.18.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 v3.0.1 L1
3.6.18.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v3.0.1 L1
3.7 Ensure That RDP Access Is Restricted From the InternetGCPCIS Google Cloud Platform v3.0.0 L2
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
4.2 Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervalsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly AccessibleGCPCIS Google Cloud Platform v3.0.0 L1
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
5.3 Ensure no security groups allow ingress from ::/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
5.3 Ensure port lockdown for self IP is setF5CIS F5 Networks v1.0.0 L1
5.6 (L1) Host should reject forged transmits on standard virtual switches and port groupsVMwareCIS VMware ESXi 8.0 v1.1.0 L1
5.7 (L1) Host should reject MAC address changes on standard virtual switches and port groupsVMwareCIS VMware ESXi 8.0 v1.1.0 L1
5.8 (L1) Host should reject promiscuous mode requests on standard virtual switches and port groupsVMwareCIS VMware ESXi 8.0 v1.1.0 L1
5.9 (L1) Host must restrict access to a default or native VLAN on standard virtual switchesVMwareCIS VMware ESXi 8.0 v1.1.0 L1
5.10 (L1) Host must restrict the use of Virtual Guest Tagging (VGT) on standard virtual switchesVMwareCIS VMware ESXi 8.0 v1.1.0 L1
6.5.3 (L1) Host SSH daemon, if enabled, must not allow use of gateway portsUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 10 v1.1.0 L1
6.17 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L1
6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.3.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.19 (L1) Virtual machines must limit access through the "dvfilter" network APIVMwareCIS VMware ESXi 8.0 v1.1.0 L1
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2016 STIG MS L2 v1.1.0
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2019 STIG MS L2 v1.0.1
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + BL + NG
18.6.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 11 v2.0.0 L1 + NG
18.6.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1 + NG
18.6.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL + NG
18.6.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v3.0.0 L1 + BL
18.6.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1
18.6.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v3.0.0 L1
18.6.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v3.0.0 L1 + BL
18.6.21.2 (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Microsoft Windows Server 2016 v3.0.0 L2 MS
18.6.21.2 (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Microsoft Windows Server 2022 v3.0.0 L2 Member Server
18.6.21.2 (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Microsoft Windows Server 2019 v3.0.0 L2 Member Server
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Windows Server 2012 R2 MS L2 v3.0.0
18.6.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Windows Server 2012 MS L2 v3.0.0