Remote Endpoint STIG


Version / Release: V2R7

Published: 2012-07-09

Updated At: 2018-09-23 12:36:57




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-6795r1_rule SRC-EPT-190 MEDIUM Disable file and print sharing on remote access devices. File and print sharing need to be disabled so file access is not available to unauthorized users.System AdministratorECSC-1
    SV-6796r1_rule SRC-EPT-191 MEDIUM When a modem is installed, incoming dial-up capability to the user’s remote device (e.g., laptop, workstation, etc.) will be disabled. Accepting incoming dial up connection on a device not intended for dial up opens an attack surface. System AdministratorECSC-1
    SV-6797r1_rule SRC-EPT-192 LOW Remote access devices will be configured so that the operation of the NIC and the modem are mutually exclusive. Disabling of the NIC while the modem is enabled reduces the risk associated with being on a LAN with a dial up connection.System AdministratorECSC-1
    SV-6799r1_rule SRC-EPT-360 LOW Changes to the security configuration of software or hardware of a Government-controlled remote access device are made without prior approval of the IAO. Strong configuration controls will help prevent unauthorized configuration changes and software installs for the remote devices.Information Assurance OfficerECSC-1
    SV-6800r1_rule SRC-EPT-405 MEDIUM A device that accesses a DOD network remotely does not have a personal firewall installed. A personal firewall is required to protect the laptop from malicious activity while accessing a DOD network remotely.System AdministratorECSC-1
    SV-6801r1_rule SRC-EPT-406 LOW The site will establish a configuration baseline and policy regarding the use and configuration of personal firewalls for remote access clients. A firewall configuration baseline will allow the IAO to have a mechanism to check the compliance of a firewall with the site policy. These configurations can sometimes be updated by users and should be compared to a baseline.System AdministratorECSC-1
    SV-6804r1_rule SRC-EPT-400 HIGH Configure the endpoint firewall to block operationally unneeded ports. Blocking all unneeded ports protects the device from potential attacks and worms. (Remote Only)System AdministratorECSC-1
    SV-6805r1_rule SRC-EPT-410 HIGH The host-based firewall installed on the endpoint device will be configured to a Deny-by-Default posture in accordance with the Ports and Protocols Service Management (PPSM) list. Blocking these ports protects the device from denial-of-service attacks. (Remote Only)System AdministratorECSC-1
    SV-6810r1_rule SRC-EPT-420 MEDIUM Host-based firewall wil be configured in a deny-by-default mode for ports and services. Configuring the personal firewall to be in deny-by-default posture will ensure only known and needed ports are opened for traffic. (Remote Only)System AdministratorECSC-1
    SV-6811r1_rule SRC-EPT-430 LOW Host-based firewalls installed on the endpoint devices will be configured to log all inbound connections. Logs are needed in the event that an attack was successful or in order to detect potentially malicious activity. (Remote Only)System AdministratorECSC-1
    SV-6812r1_rule SRC-EPT-440 LOW The remote user will be trained to inspect the firewall logs at least weekly and report any unusual events or suspicious activity to their security officer. Log review is an important step in determining if potentially malicious activity has occurred and then can be reported.System AdministratorECSC-1
    SV-6813r1_rule SRC-EPT-450 MEDIUM The personal firewall must be set to a minimum level of "Medium" or other designated intermediate setting or higher. By setting the overall firewall to an intermediate/"Medium" or high, a protection mechanism is in place to protect the machine from malicious activity. (Remote Only)System AdministratorECSC-1
    SV-6815r1_rule SRC-EPT-570 MEDIUM Encrypt sensitive data (e.g., FOUO, Privacy Act information) stored on remote access/telework clients using a whole disk encryption method. The encryption system is on the Data at Rest (DAR) approved products list or is FIPS 140-2 overall Level 1 or 2 validated (as directed by the DAA based on the sensitivity of the data). The July 3, 2007 DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media" requires that remote and mobile drives be encrypted using FIPS 140-2 modules. With a few exceptions products
    SV-6817r1_rule SRC-EPT-590 MEDIUM The remote user will back up and store the private encryption key in a secure location. If the encryption key is lost, the data will be nonrecoverable.System AdministratorECSC-1
    SV-6818r1_rule SRC-EPT-600 LOW Establish a mechanism or put a procedure in place for key and/or data recovery to prevent loss of data if the user losses the encryption key. Without a mechanism for key recovery, any data that was encrypted with the key could be lost.System AdministratorECSC-1
    SV-6819r1_rule SRC-EPT-800 MEDIUM The VPN client on the endpoint device will be configured to disable or disallow split tunneling. Split tunneling needs to be disabled so traffic is not visible to two networks at the same time. This means that printing for teleworkers will not be available. (Remote Only)System AdministratorECSC-1
    SV-6820r1_rule SRC-EPT-610 MEDIUM The VPN client configuration will be protected by access control so the remote user cannot change the security settings. Without proper configuration control, security controls can become lessened on a remote access machine.System AdministratorECSC-1
    SV-6821r1_rule SRC-EPT-620 LOW Remote users will be trained or given instructions on proper and authorized usage of the VPN client prior to accessing the DoD network. Without proper training, remote users may not completely understand the procedures for connecting to a DoD network remotely, which may result in a system compromise.System AdministratorECSC-1
    SV-6822r1_rule SRC-EPT-630 MEDIUM Configure the IPSec VPN client to use attributes such as 3DES, tunnel encapsulation mode, and a FIPS 140-2 approved authentication algorithm. An approved algorithm must be used in order to protect data during the VPN session. (Remote Only)System AdministratorECSC-1
    SV-20954r1_rule SRC-EPT-350 MEDIUM Ensure SNMP is disabled or not installed on all remote access endpoints. There are many known vulnerabilities in the SNMP protocol and if the default community strings and passwords are not modified, an unauthorized individual could gain control of the endpoint. This could lead to a denial of service or the compromise of sensi