Remote Access Server STIG V2R7

c

The IAO/NSO will ensure all communications devices are password protected.

High - V-3012 - SV-3012r6_rule

RMF Control

Severity

H

CCI

Version

NET0230

Vuln IDs

V-3012

Rule IDs

SV-3012r6_rule

The lack of a password protection for communications devices provides anyone access to the device, which opens a backdoor opportunity for intruders to attack and manipulate or compromise network resources. Vendors and programmers often leave methods of gaining access to a device that is outside the normal means of access. These backdoors or hidden userids are well known and are extremely dangerous if left active.Information Assurance OfficerECSC-1, IAIA-1, IAIA-2

Checks: C-3456r1_chk

Interview the network administrator and attempt to logon to several devices.

Fix: F-3037r2_fix

Ensure all communication devices are in compliance with password policy.

b

An approved DoD login banner is not used on the device.

Medium - V-3013 - SV-3013r11_rule

RMF Control

Severity

M

CCI

Version

NET0340

Vuln IDs

V-3013

Rule IDs

SV-3013r11_rule

All network devices must present a DOD approved warning banner prior to a system administrator logging on. The banner should warn any unauthorized user not to proceed. It also should provide clear and unequivocal notice to both authorized and unauthorized personnel that access to the device is subject to monitoring to detect unauthorized usage. Failure to display the required login warning banner prior to logon attempts will limit DISA’s ability to prosecute unauthorized access and also presents the potential to give rise to criminal and civil liability for systems administrators and information systems managers. In addition, DISA’s ability to monitor the device’s usage is limited unless a proper warning banner is displayed. DoD CIO has issued new, mandatory policy standardizing the wording of “notice and consent” banners and matching user agreements for all Secret and below DoD information systems, including stand-alone systems by releasing DoD CIO Memo, “Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement”, dated 9 May 2008. The Banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. Implementation of this banner verbiage is further directed to all DoD components for all DoD assets via JTF-GNO CTO 08-008A. Information Assurance OfficerECWM-1

Checks: C-3474r4_chk

Review the device configuration or request that the administrator to login to the device and observe the terminal. Verify that either Option A or Option B (for systems with sever character limitations) of the Standard Mandatory DoD Notice and Consent Banner is displayed at log. The required banner verbiage follows and must be displayed verbatim: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: “I've read & consent to terms in IS user agreem't. .

Fix: F-3038r4_fix

Configure all management ports and interfaces to the network device to display the DoD mandated warning banner verbiage at login regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If the system is incapable of displaying the required banner verbiage due to its size, a smaller banner must be used. The mandatory verbiage follows: “I've read & consent to terms in IS user agreem't.

a

Ensure all modems are physically protected.

Low - V-19843 - SV-22006r1_rule

RMF Control

Severity

L

CCI

Version

SRC-RAS-030

Vuln IDs

V-19843

Rule IDs

SV-22006r1_rule

Limiting the access to infrastructure modems and keeping accurate records of the deployed modems will limit the chance that unauthorized modems will be placed into the infrastructure. If an unauthorized person has physical access to a site's modems, the switch or software settings can be changed to affect the security of a system.Information Assurance OfficerECSC-1

Checks: C-7468r1_chk

Visually inspect location of modems to determine compliance.

Fix: F-7662r1_fix

Ensure that all modems are physically protected.

b

For dial-up services, ensure remote endpoints and remote access servers are configured to use PPP instead of SLIP to provide client dial-up communication.

Medium - V-19844 - SV-22007r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAS-010

Vuln IDs

V-19844

Rule IDs

SV-22007r1_rule

The most significant advantage PPP provides is authentication and configuration negotiation. With SLIP, the remote user must configure communication parameters such as maximum transmission unit (MTU) and maximum receive unit (MRU). In addition, SLIP does not support authentication; hence, chat scripts must be used to provide some form of authentication before SLIP is started. On the other hand, PPP negotiates the configuration parameters at the start of the connection to include which authentication method will be used, as well as all required transmission parameters. Information Assurance OfficerECSC-1

Checks: C-25068r1_chk

Review the configuration for the RAS. Verify that PPP is used as the communication protocol that enables a remote computer to connect to a network over standard asynchronous serial lines.

Fix: F-20518r1_fix

Ensure the RAS is configured to accept only communications protocols that use an accepted method of encryption to authenticate the remote node (e.g. CHAP with MD5 or MS-CHAP with MD4).

b

If PPP is used for dial-up access, then authentication will be provided by one of the following protocols: EAP (recommended); CHAP with MD5; or MS-CHAP with MD4.

Medium - V-19845 - SV-22008r2_rule

RMF Control

Severity

M

CCI

Version

SRC-RAS-020

Vuln IDs

V-19845

Rule IDs

SV-22008r2_rule

PPP provides authentication methods such as Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). These protocols are used for authentication at the Data Link Layer—that is, between the remote client and the remote access server. These methods provide the means for the remote client to send logon userid and password information to the remote access server. These two security features working together help to ensure data transfer security in the PPP network.Network Security OfficerECSC-1

Checks: C-25069r1_chk

Review the configuration for the RAS . Verify use of an approved encryption algorithm if PPP is used for remote access.

Fix: F-20519r1_fix

Ensure that an accepted method of encryption to authenticate the remote node is used (e.g. CHAP with MD5 or MS-CHAP with MD4).

a

The IAO/NSO will maintain a listing of all modems, associated phone number, and location.

Low - V-19846 - SV-22009r1_rule

RMF Control

Severity

L

CCI

Version

SRC-RAS-040

Vuln IDs

V-19846

Rule IDs

SV-22009r1_rule

Keeping accurate records of the deployed modems will limit the chance that unauthorized modems will be placed into the infrastructure.Information Assurance OfficerECSC-1

Checks: C-25070r1_chk

Request that the IAO/NSO provide the list for visual inspection.

Fix: F-20520r1_fix

Ensure an accurate listing of all RAS modems is maintained.

a

User authentication is required prior to establishing a callback connection.

Low - V-19847 - SV-22010r2_rule

RMF Control

Severity

L

CCI

Version

SRC-RAS-050

Vuln IDs

V-19847

Rule IDs

SV-22010r2_rule

Callback features are an attempt to protect the network by providing a service that disconnects an incoming call and reestablishes the call, dialing back to a predetermined number. Upon establishment of the callback connection, the communications device will require the user to authenticate to the system.Information Assurance OfficerECSC-1

Checks: C-25071r1_chk

To verify, check the configuration of the RAS or the remote access policy server.

Fix: F-20521r1_fix

Ensure that if callback procedures are used, then upon establishment of the callback connection, the communications device will require the user to authenticate to the system.

b

Configure the RAS so that communications sessions are limited to single-line operation where sessions are not multiplexed across multiple lines.

Medium - V-19848 - SV-22011r2_rule

RMF Control

Severity

M

CCI

Version

SRC-RAS-060

Vuln IDs

V-19848

Rule IDs

SV-22011r2_rule

Use of several lines per session make it difficult to monitor and audit communications events that may adversely impact the network.Information Assurance OfficerECSC-1

Checks: C-25072r1_chk

Inspect the configuration of the RAS dial-up lines by using the RAS configuration screens. Verify the modem lines are configured for single line operation and multiplexing is not selected as an option available to the user or the system.

Fix: F-20522r1_fix

Ensure that all modem lines are restricted to single line operation.

b

The RAS or access control server will be configured to disable use of special features (e.g., call forwarding and call waiting).

Medium - V-19849 - SV-22012r2_rule

RMF Control

Severity

M

CCI

Version

SRC-RAS-080

Vuln IDs

V-19849

Rule IDs

SV-22012r2_rule

These special features are not mission essential for RAS lines and may lead to inacurate call log and complicate security investigations as the calls may be redirected.Information Assurance OfficerECSC-1

Checks: C-25073r1_chk

Interview the network administrator. Verify the modem lines are configured as required with no special features.

Fix: F-20523r1_fix

Ensure that all modem lines are not configured to allow users to use special calling features.

b

RAS communications lines will be assigned as either inward or outward dial but not both. Assignment of each line will depend on mission requirements.

Medium - V-19850 - SV-22013r1_rule

RMF Control

Severity

M

CCI

Version

SRC-RAS-090

Vuln IDs

V-19850

Rule IDs

SV-22013r1_rule

Use of these features of the phone line or RAS device may lead to inacurate call log and complicate security investigations as the calls may be redirected.Information Assurance OfficerECSC-1

Checks: C-25074r1_chk

Interview the network administrator. Verify the modem lines are configured as required.

Fix: F-20524r1_fix

Ensure all modem lines are not configured to assign either dial-in or dial-out usage for each line but not both.

a

The remote access dial-up server will maintain a log of calls to provide a call audit trail.

Low - V-19851 - SV-22014r2_rule

RMF Control

Severity

L

CCI

Version

SRC-RAS-070

Vuln IDs

V-19851

Rule IDs

SV-22014r2_rule

Ubiquitous phone lines open major security holes in a network. The more tightly they can be controlled, the less the exposure to vulnerabilities. Allowing special features to remain active on modem phone lines create advantageous situations for malicious attacks. An attacker may use special features to forward modem or voice calls to destinations that cause toll-fraud, or forward the number to itself causing a denial of service. ANI logs are ideal for auditing unauthorized accesses and toll-fraud.Information Assurance OfficerECSC-1

Checks: C-25075r1_chk

Interview the IAO and ask to see a copy of the logs.

Fix: F-20525r2_fix

Maintain and review call logs. Audit records should be stored for a period of 1 year.

a

Network Address Translation (NAT) will not be configured for use with remote access gateways and servers unless there is a means of tracking the remote client's network activity throughout the network.

Low - V-21529 - SV-23743r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NET-060

Vuln IDs

V-21529

Rule IDs

SV-23743r1_rule

An incorrectly configured remote access gateway may allow unauthorized access to malicious or unauthorized remote users.Information Assurance OfficerECSC-1

Checks: C-23370r1_chk

Inspect the configuration of the VPN or RAS gateway and verify that it is does not provide NAT services to the remote access end points.

Fix: F-22325r1_fix

Ensure that the remote access gateway is not configured to provide NAT services for remote access connections.

b

Where digital certificates are used for device authentication, the remote gateway will use DoD-approved PKI rather than default or proprietary device certificates which are preinstalled by the vendor.

Medium - V-21538 - SV-23753r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NET-010

Vuln IDs

V-21538

Rule IDs

SV-23753r1_rule

Without secure management implemented with authenticated access controls, strong two-factor authentication, encryption of the management session and audit logs, unauthorized users may gain access to network managed devices compromised, large parts of the network could be incapacitated with only a few commands.Information Assurance OfficerECSC-1

Checks: C-25810r1_chk

Review the PKI certificate menu in the device configuration to see if DoD PKI has been implement. The certificate used with contain "DoD". If a certificate is used but it is not DoD-approved, this as a finding.

Fix: F-22328r1_fix

If PKI is used for DEVICE authentication then ensure that a DoD approved certificate is installed. If the device does not have the option to replace the default manufacturer certificate, then the product should be replaced.

b

If digital certificates are generated by the remote access gateway for device authentication (e.g., mutual authentication between hosts), the key length and hashing algorithm used must conform to DoD requirements.

Medium - V-21540 - SV-23755r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NET-020

Vuln IDs

V-21540

Rule IDs

SV-23755r1_rule

Digital certificates which are self-generated are not encouraged but may be unavoidable. If used, then key length and hashing algorithm must conform to DoD standards.Information Assurance OfficerECSC-1

Checks: C-25813r1_chk

Ask if digital certificates are generated by the remote access gateway for device authentication. Examine the authentication configuration using the management interface of the remote access gateway. Verify that the key length and hashing algorithm used conform to DoD requirements.

Fix: F-19932r1_fix

If digital certificates are generated by the remote access solution for device authentication, then the key length and hashing algorithm used must conform to DoD requirements.

a

The remote access solution will be configured to authenticate (DOD PKI preferred) all endpoints requesting access to the network; to include mutual authentication between the remote access server device and the endpoint will be enforced prior to network admission.

Low - V-21541 - SV-23759r1_rule

RMF Control

Severity

L

CCI

Version

SRC-NET-030

Vuln IDs

V-21541

Rule IDs

SV-23759r1_rule

Remote access is a significant risk to the Enclave. Attackers can engage in remote exploits without traversing the physical security controls often in place at the site. Thus, stringent logical controls are needed to protect DoD assets. Both the device and the user must be both authenticated and authorized prior to allowing access. Device authentication may be performed in several ways but DoD-approved PKI is preferred.Information Assurance OfficerECSC-1

Checks: C-25814r1_chk

Work with the system administrator to verify that device authentication is implemented. Also, verify that mutual authentication between the remote access gateway and the endpoint is implemented.

Fix: F-22329r1_fix

Ensure device authentication and mutual authentication between the remote access gateway and the endpoint is implemented.

c

Network devices configured to provide remote access services (e.g., RAS, VPN gateways, and NAC appliances) will be PK-enabled (as required by DoDD 8520) and will have the capability to generate certificate-signing requests and use DoD-approved PKI digital certificates when available.

High - V-21582 - SV-23841r2_rule

RMF Control

Severity

H

CCI

Version

SRC-NET-040

Vuln IDs

V-21582

Rule IDs

SV-23841r2_rule

Network devices, RAS, and VPN gateways will not use proprietary digital certificates or self-signed mechanisms. These certificates are often generated by the manufacturer and are similar to default passwords. Additionally, DoD requires use of DoD-PKI rather than proprietary certificate structures.Information Assurance OfficerECSC-1

Checks: C-25850r1_chk

View the vendor documentation or device configuration to verify that the device is capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.

Fix: F-19145r1_fix

Ensure all devices which provide remote access services are capable of generating certificate-signing requests and using DoD-approved PKI digital certificates when available.

b

The remote access gateway/server will be configured to use an authentication server for user authentication to provide for separation of services.

Medium - V-21583 - SV-23842r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NET-050

Vuln IDs

V-21583

Rule IDs

SV-23842r1_rule

AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers, which is usually the function of an access server. These servers centralize user identification, authentication, authorization and monitors the user's network usage. Separation of services provides added assurance to the network if the access control server is compromised.Information Assurance OfficerDCBP-1

Checks: C-25851r1_chk

Verify that an authentication server is required to access the remote access server by reviewing the currently running configuration. The remote access server will be configured to redirect user authentication requests to the authentication server.

Fix: F-19146r1_fix

The system administrator will configure the TACACS+, Radius or Diameter server with remote access accounts and user passwords. The remote access server will be configured to redirect user authentication requests to the authentication server.

b

The default remote access control policy will restrict remote user and device access based on group policy rather than by individual user or device.

Medium - V-21584 - SV-23843r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NET-070

Vuln IDs

V-21584

Rule IDs

SV-23843r1_rule

The access control policy configuration is the key security control of the remote access solution. This policy should be centralized particulary when multiple remote access control gateways and communications devices are used. Use of a policy server that can service all types of is highly encouraged. This reduces policy complexity, facilitates management of remote access, and reduces the threat posed by inadvertent administration error with access restrictions. Access control should be managed using access groups and placing the users into these groups. RADIUS or Active Directory groups will facilitate single sign-on and make modification of users and resources across the network easier. Information Assurance OfficerECSC-1

Checks: C-25852r1_chk

Review the remote access gateway (RAS or VPN) configuration. Verify that resources and priviledges are assigned to groups not individual users. Verify that the user groups are defined on the authentication server unless not technologically feasible.

Fix: F-22354r1_fix

Ensure the default network access control policy is modified to restrict remote access based on group policy rather than configured for each individual user.

b

The RAS or communications server will be configured to limit the number of concurrent connections from the remote user.

Medium - V-21585 - SV-23844r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NET-080

Vuln IDs

V-21585

Rule IDs

SV-23844r1_rule

The number of concurrent logins will be limited in order to guard against the potential for Denial of Service attacks. Recommended setting should be based on usage trends and the number of approved remote users in the organization.System AdministratorECSC-1

Checks: C-25853r1_chk

Work with the SA to examine the RAS. Verify the setting for the number of concurrent end user remote sessions is not set to a value which means unlimited. Value set should be reasonable based on local policy.

Fix: F-22355r1_fix

Ensure the setting for the number of conncurrent end user remote sessions is set to a resonable value and is not unlimited.

b

Remote access host integrity checks will incorporate settings and policies as required.

Medium - V-21586 - SV-23845r2_rule

RMF Control

Severity

M

CCI

Version

SRC-NET-090

Vuln IDs

V-21586

Rule IDs

SV-23845r2_rule

The access control policy will be integrated with endpoint security controls. Users accessing from untrusted devices such as kiosks, personaly owned, or unmanaged devices may require active content in the client Web Browser which clears the cache or remove files, cookies, and session information. For example, users detected as accessing from a kiosk may be subjected to a host integrity check prior to authentication in order to guard against keystroke loggers. Consideration should also be taken for emergency and disaster recovery. Remote access for remote reset or for special circumstances should be considered.System AdministratorECSC-1

Checks: C-25854r1_chk

Work with the SA to examine the policies for the host integrity setting. Ensure there are settings and policies applicable to the listed compliance areas. Verify the following settings: - Sensitivity of information accessed such as public, non-public, administrator, classified; - Authentication method used (PKI, password, open); - User identification and authorization; - Type of user such as mobile, teleworker from home, remote DoD site enclave user, or contractor site; - Endpoint type and location (laptop, PDA, virtual, managed/unmanaged; - Other (browser type, day/time, accessed resource type).

Fix: F-22356r1_fix

Ensure remote access host integrity check is compliant.

b

Configure the remote access gateway to prevent remotely connected users from unauthorized access to the local files or host system configuration.

Medium - V-21587 - SV-23846r1_rule

RMF Control

Severity

M

CCI

Version

SRC-NET-100

Vuln IDs

V-21587

Rule IDs

SV-23846r1_rule

If users are allowed access to system files or configuration applications, they may change the application setting and create a denial of service incident.Information Assurance OfficerECSC-1

Checks: C-25855r1_chk

Interview the site representative and review network or operating system SRR or self-assessment documentation.

Fix: F-19952r1_fix

Ensure remote users do not have permissions to access databases, files, and configuration management applications resident on the remote access gateway.

Checks: C-3456r1_chk

Fix: F-3037r2_fix

Generate Mitigation Statement:

Checks: C-3474r4_chk

Fix: F-3038r4_fix

Generate Mitigation Statement:

Checks: C-7468r1_chk

Fix: F-7662r1_fix

Generate Mitigation Statement:

Checks: C-25068r1_chk

Fix: F-20518r1_fix

Generate Mitigation Statement:

Checks: C-25069r1_chk

Fix: F-20519r1_fix

Generate Mitigation Statement:

Checks: C-25070r1_chk

Fix: F-20520r1_fix

Generate Mitigation Statement:

Checks: C-25071r1_chk

Fix: F-20521r1_fix

Generate Mitigation Statement:

Checks: C-25072r1_chk

Fix: F-20522r1_fix

Generate Mitigation Statement:

Checks: C-25073r1_chk

Fix: F-20523r1_fix

Generate Mitigation Statement:

Checks: C-25074r1_chk

Fix: F-20524r1_fix

Generate Mitigation Statement:

Checks: C-25075r1_chk

Fix: F-20525r2_fix

Generate Mitigation Statement:

Checks: C-23370r1_chk

Fix: F-22325r1_fix

Generate Mitigation Statement:

Checks: C-25810r1_chk

Fix: F-22328r1_fix

Generate Mitigation Statement:

Checks: C-25813r1_chk

Fix: F-19932r1_fix

Generate Mitigation Statement:

Checks: C-25814r1_chk

Fix: F-22329r1_fix

Generate Mitigation Statement:

Checks: C-25850r1_chk

Fix: F-19145r1_fix

Generate Mitigation Statement:

Checks: C-25851r1_chk

Fix: F-19146r1_fix

Generate Mitigation Statement:

Checks: C-25852r1_chk

Fix: F-22354r1_fix

Generate Mitigation Statement:

Checks: C-25853r1_chk

Fix: F-22355r1_fix

Generate Mitigation Statement:

Checks: C-25854r1_chk

Fix: F-22356r1_fix

Generate Mitigation Statement:

Checks: C-25855r1_chk

Fix: F-19952r1_fix

Generate Mitigation Statement: