CSCv7|4.5

Title

Use Multifactor Authentication For All Administrative Access

Description

Use multi-factor authentication and encrypted channels for all administrative account access.

Reference Item Details

Category: Controlled Use of Administrative Privileges

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure that multi-factor authentication is enabled for all privileged usersmicrosoft_azureCIS Microsoft Azure Foundations v1.3.1 L1
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Authentication ProfilePalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.2.35 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes Benchmark v1.6.1 L1 Master
1.5 Ensure MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
1.5.1 Ensure 'V3' is selected for SNMP pollingPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 17 L2 v1.0.0
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 16 L2 v1.1.2
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 17 L2 v1.0.0
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 16 L2 v1.1.2
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.6 Ensure hardware MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations L2 1.4.0
1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console passwordamazon_awsCIS Amazon Web Services Foundations L1 1.4.0
18.9.15.1 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
18.9.15.1 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 DC L1 v1.3.0
18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Windows Server 2012 DC L1 v2.2.0
18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Windows Server 2012 MS L1 v2.2.0
18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2016 MS L1 v1.3.0
18.9.15.2 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 2 v3.2.0
18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L2 v2.2.0
18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L2 v2.2.0
18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.2.0
18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.2.0
18.9.59.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.59.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
18.9.59.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L1 v2.2.0
18.9.59.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L1 v2.2.0
18.9.59.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
18.9.59.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
18.9.59.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
18.9.59.3.9.2 Ensure 'Require secure RPC communication' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker