Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Remote Endpoint STIG

  • Version/Release: V2R7
  • Published: 2012-07-09
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

b
Disable file and print sharing on remote access devices.
Medium - V-6649 - SV-6795r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-190
Vuln IDs
  • V-6649
Rule IDs
  • SV-6795r1_rule
File and print sharing need to be disabled so file access is not available to unauthorized users.System AdministratorECSC-1
Checks: C-2575r1_chk

This check verifies that file and print sharing is not installed on remote access devices. Select the Control Panel directory from Start-Settings. Click on Network and Dial-in Connections. Right-click on Local Area Connection and Properties. If File and Print Sharing is not listed, this is not a finding. If File and Print Sharing is listed, then check the personal firewall policy. If port 445 inbound is being filtered, this is not a finding. If File and Print Sharing is listed and the firewall policy is not filtering inbound 445, this is a finding.

Fix: F-6590r1_fix

Disable file and print sharing

b
When a modem is installed, incoming dial-up capability to the user’s remote device (e.g., laptop, workstation, etc.) will be disabled.
Medium - V-6650 - SV-6796r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-191
Vuln IDs
  • V-6650
Rule IDs
  • SV-6796r1_rule
Accepting incoming dial up connection on a device not intended for dial up opens an attack surface. System AdministratorECSC-1
Checks: C-2577r1_chk

This check verifies that the remote access software is configured for dial-out only. Navigate to the Services applet in the Administrative Tools folder. Check the services listing for the Remote Access Service (or other third party remote access software service) and view the properties. Highlight the communications port and select Configure. Verify “dial-out only” is selected. If a modem is installed and enabled in the active profile, the SA should demonstrate that auto or manual answer modes are not used. Work with the SA to review the configuration of several remote access devices. On the client device, this setting is usually enabled in the specific communications software used. All communications software, regardless of function must have this capability disabled if available. Some examples are: Winfax and other fax software, PcAnywhere and other remote access software, Internet and POTS phone dialers, etc. While it is not possible to write checks for all possible applications, the reviewer should work with the SA to review the settings of all installed RAS applications. If the remote devices are not available for review, ensure the disabling of this setting is addressed in the user agreement, training materials, or site remote device configuration procedures.

Fix: F-6591r1_fix

Disable incoming dialup.

a
Remote access devices will be configured so that the operation of the NIC and the modem are mutually exclusive.
Low - V-6651 - SV-6797r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-EPT-192
Vuln IDs
  • V-6651
Rule IDs
  • SV-6797r1_rule
Disabling of the NIC while the modem is enabled reduces the risk associated with being on a LAN with a dial up connection.System AdministratorECSC-1
Checks: C-2578r1_chk

This check verifies the remote access device is configured to prevent simultaneous use of the NIC and modem for communications. Verify that the remote device is configured to use at least two hardware profiles. One profile enables the modem and disables the NIC, while the second profile disables the modem but enables the NIC. Navigate to the Control Panel folder and select the “System” applet. Select the “Hardware” tab for the System Properties menu. Click “Cancel” to return to the “System Properties” dialog box. Click the “Device Manager” button. Expand and view the properties for the modem and the Network Adapter (controller). Review the selection in the “Device Usage” area. Reboot and select another hardware profile upon restart. Repeat the above steps to view the modem and NIC in the other profile. If profiles are not in use on the remote device, this is a finding. If “Use this device (enable)” is selected for both the modem and the NIC in a single hardware profile, this is a finding.

Fix: F-6592r1_fix

Create a hardware profile that disables the modem when the network card is active.

a
Changes to the security configuration of software or hardware of a Government-controlled remote access device are made without prior approval of the IAO.
Low - V-6653 - SV-6799r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-EPT-360
Vuln IDs
  • V-6653
Rule IDs
  • SV-6799r1_rule
Strong configuration controls will help prevent unauthorized configuration changes and software installs for the remote devices.Information Assurance OfficerECSC-1
Checks: C-2579r1_chk

This check verifies use of workstation policy and site written policy to prevent unapproved configuration changes. The system’s user and advanced user rights policies must be configured in accordance with DISA requirements to prevent users without administrative rights from installing or changing software or hardware configuration which may adversely affect the security posture of the laptop or workstation. Use the User Manager or Administrative Tools applet to view user accounts and policies for users who access the system’s resources. Select “User Rights” from the “Policies” menu. Select the checkbox, “Show Advanced User Rights.” Click “Cancel” when finished examining the data in this dialog box. By scrolling through the choices in the drop-down box labeled “Right,” navigate to the rights listed below and compare the contents of the “Grant To” listbox with the acceptable values in the following table. If there are any discrepancies, this is a finding. Users Rights Authorized Groups Load and unload device drivers Administrators Modify firmware environment values Administrators Next, examine any procedures or remote access agreement that informs the user of this requirement. If the user is not informed of this requirement or if rights are not restricted to prevent installation of software or device drivers, this is a finding. View a copy of approval letters if such approvals have been authorized.

Fix: F-6595r1_fix

Create a software baseline.

b
A device that accesses a DOD network remotely does not have a personal firewall installed.
Medium - V-6654 - SV-6800r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-405
Vuln IDs
  • V-6654
Rule IDs
  • SV-6800r1_rule
A personal firewall is required to protect the laptop from malicious activity while accessing a DOD network remotely.System AdministratorECSC-1
Checks: C-2580r1_chk

Because of the variation of installations, you must work with the IAO and manually check to determine the product installed. The software version can usually be verified by starting the firewall program from the toolbar icon or from the Start menu. The version number may appear in the window or be available by clicking the Help menu item and then selecting About. The location varies from product to product. If the personal firewall is supported by the JTF-GNO and is older than the current JTF-GNO-provided release, this is a finding. For technologies which do not have compatible DOD licensed personal firewalls available, then DAA approval and use of a NIAP Validated Products List with a Evaluation Assurance Level (EAL) of 2 or higher is an acceptable mitigation.

Fix: F-6588r1_fix

Install a personal firewall product that is licensed by DOD.

a
The site will establish a configuration baseline and policy regarding the use and configuration of personal firewalls for remote access clients.
Low - V-6655 - SV-6801r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-EPT-406
Vuln IDs
  • V-6655
Rule IDs
  • SV-6801r1_rule
A firewall configuration baseline will allow the IAO to have a mechanism to check the compliance of a firewall with the site policy. These configurations can sometimes be updated by users and should be compared to a baseline.System AdministratorECSC-1
Checks: C-2582r1_chk

Review a copy of the site’s baseline procedures or written policy regarding configuration of remote access devices. Note that this check does not include validation of the contents, which is verified in another requirement. If a personal firewall baseline configuration document does not exist, this is a finding.

Fix: F-6597r1_fix

Develop a software baseline for the personal firewall configuration.

c
Configure the endpoint firewall to block operationally unneeded ports.
High - V-6658 - SV-6804r1_rule
RMF Control
Severity
High
CCI
Version
SRC-EPT-400
Vuln IDs
  • V-6658
Rule IDs
  • SV-6804r1_rule
Blocking all unneeded ports protects the device from potential attacks and worms. (Remote Only)System AdministratorECSC-1
Checks: C-2584r1_chk

Inspect the configuration of the host-based firewall installed on the endpoint devices. Examples of ports which are needed for operation are as follows: SMTP, SSL, HTTP, and HTTPS. If other ports are open, request the IAO provide documented justification showing these ports are needed for site operations. If this documentation does not exist, this is a finding. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Startup Programs menu. Select the Configuration or Settings button/option and view the advanced custom settings for the Internet Zone.

Fix: F-6589r1_fix

Block all unneeded ports.

c
The host-based firewall installed on the endpoint device will be configured to a Deny-by-Default posture in accordance with the Ports and Protocols Service Management (PPSM) list.
High - V-6659 - SV-6805r1_rule
RMF Control
Severity
High
CCI
Version
SRC-EPT-410
Vuln IDs
  • V-6659
Rule IDs
  • SV-6805r1_rule
Blocking these ports protects the device from denial-of-service attacks. (Remote Only)System AdministratorECSC-1
Checks: C-2585r1_chk

The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Start menu. Select the Configuration or Settings button/option and view the advanced custom settings for the Internet Zone. PPSM. If the personal firewall is not configured for a Deny-by-Default posture, this is a finding.

Fix: F-6596r1_fix

A Deny-by-Default posture is setup on the personal firewall.

b
Host-based firewall wil be configured in a deny-by-default mode for ports and services.
Medium - V-6662 - SV-6810r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-420
Vuln IDs
  • V-6662
Rule IDs
  • SV-6810r1_rule
Configuring the personal firewall to be in deny-by-default posture will ensure only known and needed ports are opened for traffic. (Remote Only)System AdministratorECSC-1
Checks: C-2590r1_chk

This check verifies that the firewall is configured in a deny by default posture. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Start menu. Select the Configuration or Settings button/option and view the advanced custom settings for the Internet Zone. If the firewall is not in a deny by default posture, this is a finding.

Fix: F-6598r1_fix

Ensure the firewall is in a deny by default configuration.

a
Host-based firewalls installed on the endpoint devices will be configured to log all inbound connections.
Low - V-6663 - SV-6811r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-EPT-430
Vuln IDs
  • V-6663
Rule IDs
  • SV-6811r1_rule
Logs are needed in the event that an attack was successful or in order to detect potentially malicious activity. (Remote Only)System AdministratorECSC-1
Checks: C-2591r1_chk

Have the SA or NSO demonstrate the configuration of the personal firewall. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Start menu. Navigate to the Alerts configuration menu or tab and verify that the setting to log alerts is enabled. At a minimum, all inbound connections from the Internet Zone must be logged to a text file. If the log alerts setting is not enabled in the personal firewall software, this is a finding.

Fix: F-6599r1_fix

Configure the firewall to log in bound connections.

a
The remote user will be trained to inspect the firewall logs at least weekly and report any unusual events or suspicious activity to their security officer.
Low - V-6664 - SV-6812r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-EPT-440
Vuln IDs
  • V-6664
Rule IDs
  • SV-6812r1_rule
Log review is an important step in determining if potentially malicious activity has occurred and then can be reported.System AdministratorECSC-1
Checks: C-2592r1_chk

Inspect the training or user agreement documentation. Verifiy that the users are informed of this requirement. If the user is unaware of this requirement or does not perform this task at least weekly, this is a finding.

Fix: F-6600r1_fix

Develop and implement procedures to review audit data.

b
The personal firewall must be set to a minimum level of "Medium" or other designated intermediate setting or higher.
Medium - V-6665 - SV-6813r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-450
Vuln IDs
  • V-6665
Rule IDs
  • SV-6813r1_rule
By setting the overall firewall to an intermediate/"Medium" or high, a protection mechanism is in place to protect the machine from malicious activity. (Remote Only)System AdministratorECSC-1
Checks: C-2593r1_chk

This check verifies that the personal firewall security level is in compliance. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Programs menu. Navigate to the personal firewall Security Settings configuration window or tab and verify that the security level for both the Local and Internet Zones are set to intermediate setting of “Medium” or higher. The specific default intermediate settings may vary, depending on the vendor firewall used. At a minimum, this level of security should be customized to include the following: - Blocking all Internet access until expressly permitted by the user. - Silently block unused ports. - Block or prompt for usage of Java Applet and ActiveX controls. If the security level is not set to a minimum of intermediate or “Medium” and the above listed minimum settings are not in place, then mark this as a Category II finding.

Fix: F-6602r1_fix

Ensure firewall is set to at least a medium level of security.

b
Encrypt sensitive data (e.g., FOUO, Privacy Act information) stored on remote access/telework clients using a whole disk encryption method. The encryption system is on the Data at Rest (DAR) approved products list or is FIPS 140-2 overall Level 1 or 2 validated (as directed by the DAA based on the sensitivity of the data).
Medium - V-6667 - SV-6815r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-570
Vuln IDs
  • V-6667
Rule IDs
  • SV-6815r1_rule
The July 3, 2007 DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media" requires that remote and mobile drives be encrypted using FIPS 140-2 modules. With a few exceptions products must be procured from the DAR contract. DoD Components must purchase DAR encryption products to protect DoD DAR on mobile computing devices and removable storage media through the ESI or GSA SmartBuy BPAs. Exceptions would be if those encryption products were FIPS 140-2 compliant and included as an integral part of other products such as Vista BitLocker, or if the cryptographic modules are approved by NSA (with formal NSA Approval Letter). System AdministratorECSC-1
Checks: C-2595r1_chk

This check verifies use of an approved encryption product to protect data on client devices used for remote access. The site should provide documentation of compliance. The site may also provide documentation that product is on the approved Data at Rest (DAR) products list. To verify encryption is configured on the remote endpoints, check the configuration of the operating system. If either an approved product is not used or it is not configured for use on the devices, this is a finding.

Fix: F-6604r1_fix

Ensure sensitive data is encrypted using an approved encryption product.

b
The remote user will back up and store the private encryption key in a secure location.
Medium - V-6669 - SV-6817r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-590
Vuln IDs
  • V-6669
Rule IDs
  • SV-6817r1_rule
If the encryption key is lost, the data will be nonrecoverable.System AdministratorECSC-1
Checks: C-2597r1_chk

Interview a sampling of remote users to verify that they store a copy of the private encryption key in a secure location (e.g., floppy disk, CD, etc.). If they do not follow this procedure, ask if they were trained on this requirement and examine the sites remote user agreement or training documentation for a description of this procedure. If the user is does not have a back up of the private key, this is a finding. If users are not available for interview and this requirement is not addressed in either user training or user access agreement, this is a finding.

Fix: F-6606r1_fix

Develop and implement a process to ensure a backup of the encryption key is stored in a secure location.

a
Establish a mechanism or put a procedure in place for key and/or data recovery to prevent loss of data if the user losses the encryption key.
Low - V-6670 - SV-6818r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-EPT-600
Vuln IDs
  • V-6670
Rule IDs
  • SV-6818r1_rule
Without a mechanism for key recovery, any data that was encrypted with the key could be lost.System AdministratorECSC-1
Checks: C-2598r1_chk

Interview the IAO to verify data loss prevention procedures for encrypted data on remote access devices. These procedures may be as simple as a requirement for users to backup or an automated backup to an unencrypted folder on the network. Alternative but more expensive methods are third party key storage and multiple key access. If procedures do not exist for key or data recovery, this is a finding.

Fix: F-6608r1_fix

Develop a recovery plan for key recovery or data recovery in the event of a lost key.

b
The VPN client on the endpoint device will be configured to disable or disallow split tunneling.
Medium - V-6671 - SV-6819r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-800
Vuln IDs
  • V-6671
Rule IDs
  • SV-6819r1_rule
Split tunneling needs to be disabled so traffic is not visible to two networks at the same time. This means that printing for teleworkers will not be available. (Remote Only)System AdministratorECSC-1
Checks: C-2599r1_chk

Execute the software’s dialer applet from the Programs menu. The selections may vary depending on the products used for the VPN client. Verify that split tunneling is disabled or that tunneling is enabled in the Properties dialog box. Upon the establishment of a VPN connection to a DOD network, no other connections of any kind will be established. Next, verify that the setting for “local LAN access” is not selected. For example, if home networks are used, no connection between the device and other home network devices will be established during a VPN session. If Split Tunneling is used for VPN communications or if local LAN access is permitted, even for printing purposes, this is a finding.

Fix: F-6607r1_fix

Configure the VPN so that split tunneling is disabled.

b
The VPN client configuration will be protected by access control so the remote user cannot change the security settings.
Medium - V-6672 - SV-6820r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-610
Vuln IDs
  • V-6672
Rule IDs
  • SV-6820r1_rule
Without proper configuration control, security controls can become lessened on a remote access machine.System AdministratorECSC-1
Checks: C-2600r1_chk

Verify the system’s user and advanced user rights policies are configured in accordance with DISA requirements to prevent users without administrative rights from installing or changing software or hardware configurations, which may adversely affect the security posture of the remote device. There are several ways to accomplish this item. Have the NSO demonstrate the site’s method for securing the VPN profile configuration. Since the VPN client software generally does not have a setting for preventing users from changing the settings, the most likely method used will be to enable the operating system policies to ensure the profile directory of the client software is enabled for read and execute only for ordinary users. Next, examine any procedures or remote access agreement that informs the user of this requirement. If the user is not informed of this requirement or if rights are not restricted to prevent installation of software or device drivers, this is a finding. Note: If the remote user has administrative rights, then this is a finding only if a written policy does not exist informing the user that changes must be pre-approved regardless of having administrative rights.

Fix: F-6609r1_fix

Ensure there is a configuration control process in place and is followed for VPN client configurations.

a
Remote users will be trained or given instructions on proper and authorized usage of the VPN client prior to accessing the DoD network.
Low - V-6673 - SV-6821r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-EPT-620
Vuln IDs
  • V-6673
Rule IDs
  • SV-6821r1_rule
Without proper training, remote users may not completely understand the procedures for connecting to a DoD network remotely, which may result in a system compromise.System AdministratorECSC-1
Checks: C-2601r1_chk

Verify the existence of VPN client configuration and access procedures. Also, examine the site user training program to ensure VPN security procedures are included. Such items as local LAN access, split tunneling, and obtaining approval for configuration changes should be addressed in the training. If written VPN procedures do not exist, are inadequate, or are not provided to the users, this is a finding. If VPN security is not included in the training program, this is a finding.

Fix: F-6610r1_fix

Develop and distribute user instructions for the VPN client.

b
Configure the IPSec VPN client to use attributes such as 3DES, tunnel encapsulation mode, and a FIPS 140-2 approved authentication algorithm.
Medium - V-6674 - SV-6822r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-630
Vuln IDs
  • V-6674
Rule IDs
  • SV-6822r1_rule
An approved algorithm must be used in order to protect data during the VPN session. (Remote Only)System AdministratorECSC-1
Checks: C-2602r1_chk

Interview the network administrator to ensure both the VPN appliance and the client software use IPSec tunneling protocol to secure traffic sent between the network and remote access devices. That is, the tunneling protocol selected in the VPN configuration must be IPSec only. Next, navigate to the IPSec configuration tab of the VPN appliance; the IPSec attribute values selected must be AES, ESP, and MD5. The above settings are controlled in the VPN network appliance configuration, but encryption protocol and authentication protocol settings in the client configuration must be compatible or the client’s remote connection request will be unsuccessful. Configuration of the network device is beyond the scope of this requirement, however, these settings are addressed in the VPN procedures document required in SRC-EPT-620. View the dial-up VPN client communications security properties using the following steps. Select “Setting” from the Start Menu. Select “Network and Dial-up Connections”. Select the VPN connection used for connection to the remote network. (Hint: The type will be Virtual Private Network). Right click and select “properties” and select the “Security” tab. Verify data encryption is turned on. Refer to SRC-EPT-800 for instructions on verifying Tunnel mode is enabled on the client. If the IPSec tunneling protocol is not enabled for VPN communications between the client and VPN appliance, this is a finding. If the concentrator is not configured to use ESP and AES, this is a finding. If the VPN client used is not FIPs 140-1/2 compliant, this is a finding.

Fix: F-6593r1_fix

Ensure that IPSEC is being used.

b
Ensure SNMP is disabled or not installed on all remote access endpoints.
Medium - V-19141 - SV-20954r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-EPT-350
Vuln IDs
  • V-19141
Rule IDs
  • SV-20954r1_rule
There are many known vulnerabilities in the SNMP protocol and if the default community strings and passwords are not modified, an unauthorized individual could gain control of the endpoint. This could lead to a denial of service or the compromise of sensitive data. Since this protocol is blocked at the router, it should not be installed or enabled on remote systems.Information Assurance OfficerECSC-1
Checks: C-22761r1_chk

Navigate to the Services applet in the Administrative Tools folder. Check the services listing to see if SNMP is installed and enabled. If SNMP service is installed, this is a finding.

Fix: F-19692r1_fix

Ensure SNMP is not enabled.