Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Determine if Forescout requires a limit of one session per user. This requirement may be verified by demonstration or configuration review. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterAct user profiles >> Password and Sessions >> Session. 3. Verify the "allow only one login session per user", "Terminate existing session upon new login", and "Console and web portal sessions cannot exist concurrently". If Forescout does not enforce one session per user, this is a finding.
Configure Forescout to require a limit of one session per user. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterAct user profiles >> Password and Sessions >> Session. 3. Check "allow only one login session per user". 4. Select the "Terminate existing session upon new login" radio button. 5. Select "Console and web portal sessions cannot exist concurrently".
Review the documentation to verify a procedure exists to change the account of last resort and root account password when users with knowledge of the password leave the group. If a procedure does not exist to change the account of last resort and root account password when users with knowledge of the password leave the group, this is a finding.
Establish and document a procedure that requires the changing of the account of last resort and root account password when users with knowledge of the password leave the group. To change the password: 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> Console Preferences >> Password and Sessions. 3. Click the Password tab. 4. Click "User must change password at next logon if changed by admin user". Note: the next time the account of last resort is accessed, the user will be prompted to change their password. Note: Use of a cryptographically generated password is recommended. Password must be stored in a locked safe and used only when necessary since individual accounts are required to be used to ensure non-repudiation.
Verify only one local account exists and that it has full administrator privileges. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles. If local accounts in the CounterACT User profile or CLI exist other than the accounts of last resort, this is a finding.
There are two default accounts. The CLIAdmin root account can only be used with the CLI. To access the CLI, an account must be created that only has access to the CLI. Accounts created in CounterACT user profile in the web management tools do not have access to login to the CLI. The default console account "Admin" allows access to the web management tool. These accounts can be used as the accounts of last resort or two other accounts may be created for this purpose as long as a strong password that meets DoD requirements is used for both. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT user profiles. Remove unauthorized local accounts not identified as the account of last resort.
Determine if Forescout is configured either to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period, or to use an authentication server to perform this function. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Verify the "Lock account after" radio button is selected. 4. Verify that "3" password failures for "15 minutes" is configured. If the limit of three consecutive invalid logon attempts by a user during a 15-minute time period is not enforced, this is a finding.
Configure Forescout or its associated authentication server to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Ensure the "Lock account after" radio button is selected. 4. Ensure that "3" password failures for "15" minutes is configured.
1. Log on to the Forescout Administrator UI. 2. Select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Select the Login tab and check the "Display this Notice and Consent Message after login" option. 4. Select the "Before login, prompt user to accept these Terms and Conditions" and view the text. If the banner is not present or not in exact compliance with the current verbiage and spacing in DTM-08-060, this is a finding.
Log on to the Forescout Administrator UI. 1. Select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Select the "Login" tab and check the "Display this Notice and Consent Message after login" option. 3. Select the "Before login, prompt user to accept these Terms and Conditions". 4. Copy the exact text and formatting for the Standard Mandatory DoD and Consent Banner into the white box. Be sure to adhere to the exact line spacing required by DTM-08-060.
Verify Forescout retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. Attempt to log on to the Forescout device as a system administrator using the web management tool. If Forescout does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.
Log on to the Forescout Administrator UI. 1. Select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Select the "Login" tab and check the "Display this Notice and Consent Message after login" option. 3. Select the "Before login, prompt user to accept these Terms and Conditions". 4. Select "Apply" to save the settings.
Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under "User Operations", verify "Include user operations" is checked. If Forescout does not generate log records when successful attempts to access privileges occur, this is a finding.
Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under "User Operations", check "Include user operations".
Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when attempts to modify administrator privileges occur, this is a finding.
Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".
Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when attempts to delete administrator privileges occur, this is a finding.
Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".
Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when successful logon attempts occur, this is a finding.
Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".
Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when for privileged activities or other system-level access, this is a finding.
Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".
Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records showing starting and ending time for administrator access to the system, this is a finding.
Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".
Verify the syslog trigger is configured. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, verify "Include user operations" is checked. If Forescout does not generate log records when concurrent logons from different workstations occur, this is a finding.
Configure the syslog trigger. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Under User Operations, check "Include user operations".
Verify the syslog. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Send Events To. 3. Click the IP address of the site's centralized syslog server. 4. Verify "Use TLS" is checked. 5. Verify OCSP, Identity, Facility, and Severity, as required by the SSP, are configured. If the site's syslog server is not configured or if it is not configure to use TLS and OCSP, this is a finding.
Configure the syslog. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Send Events To. 3. Click "Add". 4. Enter the IP address of the site's centralized syslog. 5. Check "Use TLS". 6. Configure OCSP, Identity, Facility, and Severity as required by the SSP.
Determine if Forescout is configured to synchronize internal clocks with the organization's primary and secondary NTP servers. 1. Open an SSH session and authenticate to the Forescout command line. 2. Verify a primary and secondary NTP server has been configured with the command "fstool ntp test". If Forescout is not configured to synchronize internal information system clocks with the organization's primary and secondary NTP servers, this is a finding.
Configure Forescout to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources. 1. Open an SSH session and authenticate to the Forescout command line. 2. Configure the primary and secondary NTP servers with the command "fstool ntp setup <ip address>".
Determine if Forescout records time stamps for log records that can be mapped to UTC. This requirement may be verified by demonstration or configuration review. Verify by connecting to the appliance via SSH using standard user/operator privilege. 1. Type "date" at the command prompt. 2. Verify the date references accurate time and "UTC" shows just before the year. If Forescout does not record time stamps for log records that can be mapped to UTC, this is a finding.
Configure Forescout to record time stamps for log records that can be mapped to UTC. Note: Updating time preferences will force Forescout into maintenance mode and the service must be restarted. Use a scheduled outage for planned maintenance and stop Forescout service prior to adjusting time settings. 1. Type the following command at the prompt using the IP address of the required NTP server: fstool ntp <ip address> 2. Ensure the date references accurate time and the time zone points to UTC next to the year.
Determine if the network device prohibits installation of software without explicit privileged status. This requirement may be verified by demonstration or configuration review. 1. From the menu, select Tools >> Options >> User Console and Options. 2. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 3. Check a sampling of users against the current SSP to verify only the users that should have privilege to update software have the Software Upgrade privilege selected. If installation of software is not prohibited without explicit privileged status, this is a finding.
Remove accounts that are not authorized. Do not remove the account of last resort. Compare users with the current SSP and ensure only the users that should have the privilege to update software have the Software Upgrade privilege selected. 1. From the menu, select Tools >> Options >> User Console and Options. 2. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 3. Disable or delete unauthorized users.
Determine if the network device enforces access restrictions associated with changes to device configuration. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against the current SSP and ensure only the users that should have the privilege to make changes have the CounterACT Appliance Configuration; CounterACT Appliance Control; Module Control; Multiple CounterACT Appliance Management; Policy Control; Policy Management; and User Management privileges selected. If the network device does not enforce such access restrictions, this is a finding.
Remove accounts that are not authorized. Do not remove the account of last resort. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users that should have privilege to make changes have the CounterACT Appliance Configuration; CounterACT Appliance Control; Module Control; Multiple CounterACT Appliance Management; Policy Control; Policy Management; and User Management privileges selected. 5. Delete or disable unauthorized users.
Determine if the network device audits the enforcement actions used to restrict access associated with changes to the device. This requirement may be verified by demonstration, configuration review, or validated test results. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users with privileges to make changes have the Least Privilege required permissions. If the network device does not audit the enforcement actions used to restrict access associated with changes to the device, this is a finding.
Remove accounts that are not authorized. Do not remove the account of last resort. Ensure a Least Privilege Permission approach is taken with all accounts created. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> User Console and Options. 3. Select (highlight) the user profile to be reviewed (group or user) and then select Edit >> Permissions. 4. Check user against current SSP and ensure only the users that are allowed privileges to make changes have the Least Privilege required permissions. 5. Delete or disable unauthorized users.
Verify by inspecting the SSP or documentation to determine if there is a procedure for validating the MD5 hash against the Forescout updates.forescout.com portal to ensure that the software has come from the Forescout server. If the site does not have a documented process to prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate recognized and approved by the organization, this is a finding.
When Forescout updates are downloaded, whether from the DOD update server or the updates.forescout.com portal, each update consists of an MD5 hash. Manually inspect, compare, and verify the MD5 hash against the Forescout website to ensure that the software has come from the Forescout server.
Determine if there are users defined in Forescout that are not authorized to change the software libraries. Verify that Administrator privileges have been restricted for these users. This is verified by reviewing the administrator account profiles and auditing the assigned privilege for updated Forescout software. 1. Log on to the Forescout Console and select Tools >> Options >> Console User Profiles. 2. Select the user group that is not authorized access according to the SSP. 3. Select "Edit" and the "Permissions" tab 4. Verify the users do not have the "Plugin Management" and "Software Upgrade" options selected. If Forescout is not configured to limit privileges to change the software resident within software libraries for unauthorized users, this is a finding.
Configure Forescout to prevent access to change the software resident within software libraries for unauthorized personnel. View each of the Forescout user group accounts that are associated with the external user directory groups (e.g., RADIUS, Active directory, LDAP). Perform the following actions for each group. 1. Log on to the Forescout Console and select Tools >> Options >> Console User Profiles. 2. Select the user group that is not authorized access according to the SSP. 3. Select "Edit" and the "Permissions" tab. 4. Unselect the options for "Module Management" and "Software Upgrade".
Check Forescout to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> CounterACT User Profiles. 3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit". 4. Verify the non-administrator account selected does not have "update" on the "Permissions" tab for "Forescout Appliance Configuration". If unauthorized users are allowed to change the hardware or software, this is a finding.
Configure Forescout to prevent access to change the software resident within software libraries for unauthorized personnel. View each of the Forescout user group accounts associated with the external user directory groups (e.g., RADIUS, Active directory, LDAP). Perform the following actions for each group: 1. Log on to the Forescout Console and select Tools >> Options >> Console User Profiles. 2. Select the user group that is not authorized access according to the SSP. 3. Select "Edit" and the "Permissions" tab. 4. Verify the options for "Module Management" or "Software Upgrade" are not selected.
Review the Forescout configuration to determine if administrative accounts for device management exist on the device other than the account of last resort and root account. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Console Preferences. 3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit". 4. Verify each user profile is for an approved administrator. 5. Verify each external LDAP group account profile by verifying on the trusted external directory group membership. If any administrative accounts other than the account of last resort and root account exist on the device, this is a finding.
Remove accounts that are not authorized. Do not remove the account of last resort. 1. Log on to the Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Console Preferences. 3. Select (highlight) the user profile to be reviewed (group or user) and then select "Remove". 4. Remove external group membership, individual users on the Directory service.
Check that Forescout is still running supported operating system versions and that all vulnerability patches and updates have been applied. Verify the installed version is supported by Forescout by checking the Forescout support website lifecycle page. Currently, Version 8 or later is mandatory after October 2021. If Forescout is running an operating system release that is not supported by the vendor, this is a finding.
Check that Forescout is still running supported operating system versions and that all vulnerability patches and updates have been applied. Establish and document a procedure that requires the auditing of OS versions and any patches and updates have been applied in accordance with Forescout support website lifecycle page.
Check the administrative accounts assigned to each role are documented within the SSP and have been configured correctly with least privilege. 1. Log on to Forescout UI. 2. Select Tools >> Options >> CounterACT User Profiles. 3. Select username >> Edit >> Permissions. Check the SSP against created users and ensure least privilege has been configured properly. Options include Custom accounts for Console Access and Web Access. Each access account is then further established with permissions based on the user's authorizations. If Forescout does not enforce organization-defined, role-based access control policies over defined subjects and objects, this is a finding.
Login to Forescout UI. 1. Select Tools >> Options >> CounterACT User Profiles. 2. Select username >> Edit >> Permissions. Check the SSP against created users and ensure least privilege has been configured properly. Options include Custom accounts for Console Access and Web Access. Each access account is then further established with permissions based on the user's authorizations.
Verify the syslog triggers are configured in accordance with SSP requirements. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Ensure the proper NAC events and System Logs and Events are selected in compliance with the SSP. If Forescout does not generate log records for a locally developed list of auditable events, this is a finding.
Configure Forescout auditing messages to ensure auditing is comprehensible for monitoring and analysis. 1. Log on to Forescout Administrator UI with admin or operator credentials. 2. From the menu, select Tools >> Options >> Modules >> Syslog >> Syslog Triggers. 3. Ensure the proper NAC events and System Logs and Events are selected.
Check Forescout to determine if the network device is configured to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner. 1. Open the Forescout Console and select Tools >> Advanced >> Backup. 2. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected. 3. Verify the Backup schedule is selected to at least "weekly". If Forescout does not support the organizational requirement to conduct backups of system-level data according to the defined frequency, this is a finding.
Configure Forescout to conduct backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner. Setup a backup server. 1. Open the Forescout Console and select Tools >> Advanced >> Backup >> Backup Server. 2. Click "SCP" or "SFTP" for the transfer protocol. 3. Add the IP address of the backup destination server. 4. Add the directory to receive the file. 5. Add PKI key (preferred) or add username and DoD compliant password for the backup account to be used. 6. Enable "Authenticate Destination Sever". 7. Test the file transfer. 8. Click "Apply". Generate a backup job. 1. Click the "System Backup" tab. 2. Select "Enable System Backup". 3. Under Backup Schedule, add a "Generate backup at" and enter a time to run the backup in accordance with site procedures. 4. Select "Weekly" for Recurrence Pattern. When changes to the configuration occur, the admin must immediately create a new backup by clicking "Backup Now" on the Backup screen.
Check Forescout to determine if the network device is configured to conduct backups. 1. Open the Forescout Console and select Tools >> Advanced >> Backup. 2. On the “System Backup” tab, verify the "Enable System Backup" radio button is selected. 3. Verify the Backup schedule is selected to at least "weekly". If Forescout does not support organizational requirements to conduct backups of information system documentation, including security-related documentation when changes occur or weekly, whichever is sooner, this is a finding.
Configure Forescout to conduct backups. Setup a backup server. 1. Open the Forescout Console and select Tools >> Advanced >> Backup >> Backup Server. 2. Click "SCP" or "SFTP" for the transfer protocol. 3. Add the IP address of the backup destination server. 4. Add the directory to receive the file. 5. Add PKI key (preferred) or add username and DoD compliant password for the backup account to be used. 6. Enable "Authenticate Destination Sever". 7. Test the file transfer. 8. Click "Apply". Generate a backup job. 1. Click the System Backup tab. 2. Select "Enable System Backup". 3. Under Backup Schedule, add a "Generate backup at" and enter a time to run the backup in accordance with site procedures. 4. Select "Weekly" for Recurrence Pattern. When changes to the configuration occur, the admin must immediately create a new backup by clicking "Backup Now" on the Backup screen.
Determine if Forescout obtains public key certificates from an appropriate certificate policy through an approved service provider. To review the Web server certificate presented for captive portal/authentication: 1. Open a command line SSH to Forescout appliance or Enterprise Manager. 2. Run the following command: >fstool cert test 3. Verify all Web server certificate(s) are printed and reviewable. 4. Verify the signing authority is from an approved certificate authority. If the network device does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
Generate a certificate signing request by completing the following procedures: 1. Navigate to Tools >> Options >> Certificates >> System Certificates. 2. On the right of the screen click “Generate CSR”. 3. Complete the following fields (bolded fields are necessary for the Common Criteria evaluation and underlined fields have the required selection made): - Common Name – <system hostname> - Organization – <organizational name> - Organizational Unit – <unit name> - Locality – <locality name> - State – <state name> - Country Code – <country code> - Email Address - <email address> - Key Length – <select an approved key length from the drop down list> - Signature Algorithm – <select an approved algorithm from the drop down list> - Key Usages – < Checking all items that apply Client Authentication, Server Authentication and Email Signing> - Validity – <years> 4. Click “Next”. 5. When the CSR is generated, scroll down to ensure the public key and common name are present. 6. Click "Scope option – ALL" and then click "Next". 7. Enter a name for system certificate. 8. Check “Enable presenting this certificate”. 9. Click "Finish". 10. Click "Apply", and then click "Yes" to save the changes.
Navigate to the plugin tool and remove all unneeded or unsecure services. 1. Connect to the Forescout Console and select Tools >> Options >> Plugins. 2. Review the list of plugins. If an unnecessary or nonsecure service is "Enabled", select the plugin and then select "Configure". If no configuration is present, this is a finding. If any unnecessary or nonsecure functions are enabled, this is a finding.
Configure the network device to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. The following is an example of disabling the wireless plugin if no wireless devices are directly managed by Forescout. Example ONLY: 1. Connect to the Forescout Console and select Tools >> Options >> Modules >> Network. 2. Determine if the wireless plugin is running. If it is running, click the option and click "Stop". If the user is logged in to the enterprise manager, this will stop it on all the appliances in the enterprise. This process can be used to disable or remove plugins not being used.
In the Password and Sessions login options, ensure "request customer verification" is not enabled. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Ensure the option for "request customer verification" is unchecked. If the Request Customer Verification setting is enabled, this is a finding.
In the Password and Sessions login options, disable the "request customer verification" option. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Ensure the option for "request customer verification" is unchecked.
Review the Forescout configuration to determine if the network device authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools >> Options >> Switch. 2. Select a network device and review the "SNMP" tab. 3. Verify that the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Verify that the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box. If Forescout does not authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC), this is a finding.
Configure Forescout to authenticate SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools >> Options >> Switch. 2. Select a network device and review the "SNMP" tab. 3. Ensure the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Ensure the "use privacy" radio button is selected and "AES-128" or higher is selected from the drop-down box.
Review the Forescout configuration to determine if Forescout authenticates SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools >> Options >> Switch. 2. Select a network device and review the "SNMP" tab. 3. Verify the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Verify the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box. If SNMPv3 with HMAC-SHA is configured, this is not a finding.
Configure Forescout to authenticate SNMP endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. 1. Select Tools >> Options >> Switch. 2. Select a network device and review the "SNMP" tab. 3. Ensure the "SNMPv3" option is selected and the "HMAC-SHA" authentication protocol is selected. 4. Ensure the "use privacy" radio button is selected and "AES-128" is also selected from the drop-down box. Note: According to the vendor, this configuration uses SHA-1 for NTP configuration only when in FIPS mode. Use of SHA-2 for integrity processes usually incurs a finding, however this configuration sets AES-128. Thus, this vendor-recommended configuration is considered to mitigate the risk for NTP on Forescout only. This is specifically and only applicable to this requirement.
1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Verify the first "password must contain at least" is checked. 3. Verify there is a minimum of one in the "upper case alphabetic characters" configuration box. If the Forescout does not enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
Configure Forescout to require a minimum of one uppercase character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the first "password must contain at least" option. 3. Add a 1 (or higher) in the "upper case alphabetic characters" configuration box.
1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Verify the second "password must contain at least" is checked. 3. Verify there is a minimum of one in the "lower case alphabetic characters" configuration box. If the Forescout does not enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
Configure Forescout to require a minimum of one lowercase character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the second "password must contain at least" option. 3. Add a 1 (or higher) in the "lower case alphabetic characters" configuration box.
Determine if the network device enforces a minimum 15-character password length. This requirement may be verified by demonstration or configuration review. 1. Log on to the Forescout Administrator UI. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Verify the "minimum length" is configured for "15". If Forescout does not enforce a minimum 15-character password length, this is a finding.
Log on to the Forescout Administrator UI. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Configure the "minimum length" for "15".
1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Verify the third "password must contain at least" is checked. 3. Verify there is 1 (or higher) in the "digits" configuration box. If the Forescout does not enforce password complexity by requiring that at least one numeric character be used, this is a finding.
Configure Forescout to require a minimum of one numeric character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the third "password must contain at least" option. 3. Add a 1 (or higher) in the "digits" configuration box.
1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Verify the fourth "password must contain at least" is checked. 3. Verify there is 1 (or higher) in the "in the special character" configuration box. If the Forescout does not enforce password complexity by requiring that at least one special character be used, this is a finding.
Configure Forescout to require a minimum of one special character. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the fourth "password must contain at least" option. 3. Add a 1 (or higher) in the "in the special character" configuration box.
1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Verify the fifth "password must contain at least" is checked. 3. Verify there is 1 (or higher) in the "repeated characters or digits" configuration box. If Forescout does not enforce the requirement that when the password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.
Configure Forescout to be required that when a password is changed, the characters are changed in at least eight of the positions within the password. 1. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 2. Check the fifth "password must contain at least" option. 3. Add a 1 (or higher) in the "repeated characters or digits" configuration box.
Log on using the CLIAdmin credentials established upon initial configuration. Verify FIPS mode by typing the command "fstool version". If Forescout does not use FIPS 140-2 approved algorithms for authentication to a cryptographic module, this is a finding.
To enable FIPS mode on the Forescout appliance, start by opening a secure shell to the CLI of the management appliance using Putty or another tool. Log on using the CLIAdmin credentials established upon initial configuration. To enable FIPS mode, type "fstool fips". At the prompt to alert the user FIPS 140-2 will be enabled, type "Yes" to accept. Note: Use of FIPS mode is not mandatory in DoD. However, it is the primary method for mitigation of this requirement and ensuring FIPS compliance.
To verify the device is configured to terminate management sessions after 10 minutes of inactivity, verify the timeout value is configured. 1. Go to the Enterprise Manager Console. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Verify the "User Inactivity Timeout" check box is selected and the associated setting is set to "10 minutes". If applicable, verify exceptions to this requirement are documented and signed. If Forescout does not terminate the connection associated with an Enterprise Manager Console at the end of the session or after 10 minutes of inactivity, this is a finding.
Forescout is inherently designed to terminate upon exit or session disconnection, thus this part of the requirement does not have a fix. To configure Forescout to terminate the connection after 10 minutes of inactivity perform the following steps. 1. Go to the Enterprise Manager Console. 2. From the menu, select Tools >> Options >> CounterACT User Profiles >> Password and Sessions. 3. Ensure the "User In-activity Timeout" check box is selected and the associated setting is set to "10 minutes".
List the contents of Forescout’s local storage, including any drives supporting removable media (such as flash drives), and check the file permissions of all files on those drives. 1. Review accounts with incorrect update privileges to Forescout appliance configuration by selecting Tools >> Options >> CounterACT User Profiles. 2. Select a user to edit. 3. Select the "Permissions" tab. 4. Verify the "CounterAct Appliance Configuration" and "CounterACT Appliance Control" radio buttons are set to "View only". If any files allow read or write access by accounts not specifically authorized access or access using non-privileged accounts, this is a finding.
Review the SSP or other documentation for a list of user accounts and privileges. Set the file permissions on files on Forescout or on removable media used by the device so that only authorized administrators can read or change their contents. This is completed by limiting access to SUDO accounts and command line admin accounts. 1. Review accounts with incorrect update privileges to Forescout appliance configuration by selecting Tools >> Options >> CounterACT User Profiles. 2. Select a user to edit. 3. Select the "Permissions" tab. 4. Ensure the "CounterACT Appliance Configuration" and "CounterACT Appliance Control" radio buttons are set to "View only".
Check the Forescout logs periodically to ensure proper auditing functions are still enabled and have not been changed. A proper security policy performs periodic checks to help ensure the proper information is being gathered in the event of a security breach, or internal/external threat. If the Forescout auditing functions are disabled or have been changed, this is a finding.
Establish and document a procedure that periodically checks to ensure audit logs are in keeping with the security best practices of detailed security audit logs. 1. Log on to the Forescout UI. 2. Select Tools >> Options >> Modules >> Syslog >> Add. 3. Configure the: Server Address Server Port Select Use TLS 4. Configure Identify, Facility, and Severity and then select OK >> Apply.