CSCv7|12.4

Title

Deny Communication over Unauthorized Ports

Description

Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries.

Reference Item Details

Category: Boundary Defense

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.4.4.2 Enable listening ports range is set as appropriate for organizationZoomCIS Zoom L2 v1.0.0
2.1 Ensure 'Protect RE' Firewall Filter is set for inbound traffic to the Routing EngineJuniperCIS Juniper OS Benchmark v2.1.0 L1
3.2 Configure a Default Drop/Cleanup RuleCheckPointCIS Check Point Firewall L2 v1.1.0
3.6 Ensure that SSH access is restricted from the internetGCPCIS Google Cloud Platform v1.1.0 L2
3.7 Ensure that RDP access is restricted from the InternetGCPCIS Google Cloud Platform v1.1.0 L2
5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessibleGCPCIS Google Cloud Platform v1.1.0 L1
5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration portsamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
5.3 Ensure port lockdown for self IP is setF5CIS F5 Networks v1.0.0 L1
6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
6.18 Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actionsPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.1 Ensure the vSwitch Forged Transmits policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
7.2 Ensure the vSwitch MAC Address Change policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
7.3 Ensure the vSwitch Promiscuous Mode policy is set to rejectVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
7.4 Ensure port groups are not configured to the value of the native VLANVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
7.4 Ensure port groups are not configured to the value of the native VLANVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switchesVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
7.5 Ensure port groups are not configured to VLAN values reserved by upstream physical switchesVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
7.5 Ensure that port groups are not configured to VLAN values reserved by upstream physical switchesVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
7.6 Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT)VMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)VMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
7.8 Ensure port-level configuration overrides are disabled.VMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
7.8 Ensure port-level configuration overrides are disabled.VMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
8.3.3 Ensure secure protocols are used for virtual serial port accessVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
8.3.3 Ensure secure protocols are used for virtual serial port accessVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
8.3.3 Ensure secure protocols are used for virtual serial port accessVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
8.4.1 Ensure access to VMs through the dvfilter network APIs is configured correctlyVMwareCIS VMware ESXi 6.5 v1.0.0 Level 1
18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL
18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL + NG
18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1
18.5.21.1 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + NG
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)WindowsCIS Windows Server 2012 R2 MS L2 v2.5.0
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2016 STIG MS L2 v1.1.0
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2022 v1.0.0 L2 MS
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2019 MS L2 v1.3.0
18.5.21.2 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only) - EnabledWindowsCIS Microsoft Windows Server 2019 STIG MS L2 v1.0.1