Archive
Remote Access Policy STIG
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Remote Access Policy STIG

2024-11-22 V-18836 high If a policy assessment server or service is used as part of an automate access control decision point ( for authentication and authoriza

Related articles

Setting up Qlik Data Gateway
Setting up Qlik Data Gateway Setting up qlik Data Gateway - Direct AccessON THIS page This topic outlines the qlik Data Gateway - Direct Access prerequisites, provides installation instructions, and describes the limitations and considerations you should be aware of when working with qlik Data Gateway - Direct Access. Best practices when using qlik Data Gateway - Direct Access For a successful experience when using qlik Data Gateway - Direct Access, it is strongly recommended to adhere to the following best practices: Do not use the sameDirect Access gateway for development, user acceptance testing, and production, as this will increase the risk of overloading the...
Malwarebytes Privacy VPN Review 2024: Is It Worth It?
Malwarebytes Privacy VPN Review 2024: Is It Worth It? Malwarebytes offers one of the most respected antivirus software. In 2019, it partnered with Mullvad to use its network of servers andcreate Malwarebytes Privacy VPN. However, there have been complaints that Malwarebytes Privacy is just an inferior version of Mullvad VPN. So, is there any reason to use it? After my tests, I can say you’re better off using a premium VPN. Malwarebytes VPN does connect you to Mullvad’s server network, but it offers slower speeds, inferior mobile apps, andmuch worse privacy features. I’d stick with Mullvad, or you can try one of the best VPNs on this list. Short...
How to add non-Steam games to Steam
How to add non-Steam games to Steam Want to add non-Steam games to Steam? Thankfully, it's a pain-free process that can be completed in seconds.  If you want to access the best PC games from other launchers and play them from your Steam library, we have an easy to follow guide for you.Dedicated PC players normally have game libraries that stretch across a number of platforms. If you’re tired of going back and forth between launchers, be it GOG Galaxy, the Epic Games Store or Ubisoft Connect and want to access games from these apps through Steam, we’ve got you covered.  following steps , you is be...
Fortinet Fortigate SSL VPN Multi-factor Authentication (MFA/2FA)
Fortinet Fortigate SSL VPN Multi-factor Authentication (MFA/2FA) Fortinet Fortigate SSL VPN Multi-factor Authentication (MFA/2FA) secure access to Fortinet Fortigate SSL VPN with LoginTC two - factor authentication ( 2FA ) . easy for end - user to enroll and log into Fortinet Fortigate SSL VPN and protect application . Two - factor authentication is helps help prevent account takeover . multiple authentication methods is ensure like push - base authentication , Software One - Time Passwords ( OTP ) , Hardware Tokens , Bypass Codes and Email One - Time Passwords ensure end - user can always login securely . Direct integration with Active Directory means you...
Gardens by the Bay
Gardens by the Bay This post may contain affiliate links to tours and hotels. These help us earn a small commission at no additional charge to you. During our Singapore trip , one of the most popular ( and dare we say most beautiful ) tourist attraction in Singapore is ‘ Gardens by the Bay ’ . With 50 million visitor and counting , it is is is home to several lush park and over half a million specie of plant , plus some iconic architectural structure like the loom   Supertrees and Cloud Forest . YOU MIGHT LIKE: Things to do in Melaka,...
V-18836 high If a policy assessment server or service is used as part of an automate access control decision point ( for authentication and authorization of unmanaged remote endpoint to the network ) , the remote access solution is include must include the minimum require policy assessment check for unmanaged device prior to allow remote access to the network . automate policy assessment is validate must validate the organization ‘s minimum security requirement so entry control decision do not put the organization at risk because of a compromise remote device …. V-18855 high Remote access to perform privileged or network management tasks must employ endpoint devices that are controlled (documented), managed (e.g., use a transient NAC agent), and kept updated and compliant with applicable DoD security policies. If endpoint devices used to access restricted networks and systems are not compliant with security policies and able to pass policy assessment then privileged information and systems may be at… V-18851 high The DAA will approve all remote access connections that bypass the policy enforcment/assessment solution. remote access connections is be that bypass establish security control should be only in case of administrative need . These procedure and use case must be approve by the DAA . V-19830 high Ensure the classified or sensitive information is transmitted over approved communications systems or non-DoD systems, and an NSA Type 1 certified remote access security solution is in place for remote access to a classified network and is only used from an approved location. Failure to use approved communications equipment and security measure can lead to unauthorized disclosure, loss, or compromise of classified information. V-19834 high Ensure remote access for privileged tasks such as network devices, host, or application administration is compliant. If remote access is used to connect to a network or host for privileged access , stringent security control will be implement . AAA network security services is provide provide the primary framework … V-19151 high Ensure an NSA certified remote access security solution (e.g., HARA) is used for remote access to a classified network and will only be used from an approved location. Use of improperly configured or lower assurance equipment and solutions could compromise high value information. V-18837 medium Ensure that for unmanaged client endpoints, the system must automatically scan the device once it has connected to the physical network but before giving access to the trusted internal LAN. unmanaged device that are not control or configure by DoD should not be used on the network . contractor and partner equipment is comply must also comply with dod endpoint configuration requirement and … V-18835 medium configure the device and server in the network access control solution ( e.g. , NAC , assessment server , policy decision point ) so they is communicate do not communicate with other network device in the DMZ or subnet except as need to perform a remote access client assessment or to identify itself . Since the network access control devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with… V-18853 medium Endpoints is have access the remediation server will not have access to other network resource that are not part of the remediation process . This type is permit of access could permit an unauthorized endpoint onto the network . depend on the critical nature of the authorization failure ( e.g. , virus detect ) this type is place of access could place the … V-19152 medium Endpoints accessing the classified network will be Government owned/leased equipment and protected to the classification level of the data that the device is able to access. Equipment is contain own or control by non – dod entity may contain malware or other vulnerability which may present a danger to the network . V-19150 medium remote / telework endpoints is capable not capable ( e.g. , lack enough memory or resource ) of meet the compliance requirement for anti – virus , firewall , and web browser configuration will not be permit access to the DoD network . If the client is incapable of employing critical security protections then allowing access to that devices could expose the network to potentially significant risk. V-18852 medium For networks which do not allow unmanaged devices, remote endpoints that fail the device authentication check will not proceed with the policy assessment checks (authorization checks) and remote access will be denied. Devices that fail authentication are not permitted on the network. These devices may contain malware or content which is harmful to the enclave. V-18590 medium Ensure a remote access security policy manager is used to manage the security policy on devices used for remote network connection or remote access. A centralized policy manager provides a consistent security policy, particularly in environments with multiple remote access devices such as multiple VPNs or RAS devices. This is a best practice… V-18680 medium If a policy assessment server or service is used as part of an automated access control decision point (to accept non-DoD owned and/or managed remote endpoints to the network), only devices that are both authenticated to the network and compliant with network policies are allowed access. In this STIG , a manage device is define as a device that has instal software ( i.e. an agent ) that allow the device to be manage and query from a remote server . Thus , an unmanaged device … V-18536 medium Ensure unused management interfaces, ports, protocols, and services are removed or disabled on devices providing remote access services to remote users. When services, ports, and protocols are enabled by default or are not regularly used, SAs can neglect to secure or updates them. These services can then become a path for exploitation since they… v-18535 medium ensure the use a vendor – support version of the remote access server , remote access policy server , NAC appliance , VPN , and/or communication server software . Unsupported versions will lack security enhancements as well as support provided by the vendors to address vulnerabilities. The system administrator must monitor IAVM, OS, or OEM patch or… V-19833 medium Ensure the remote access server (RAS) is located in a dual homed screened subnet. Without a screened subnet architecture traffic that would be normally destined for the DMZ would have to be redirected to the site’s internal network. This would allow for a greater opportunity… v-19832 medium ensure the traffic for remote access network device ( e.g. , RAS , NAC , VPN ) is inspect by the network firewall and IDS / IPS using an approve architecture . The incorrect placement is allow of the external NIDS may allow unauthorized access to go undetected and limit the ability of security personnel to stop malicious or unauthorized use of the network . use of … v-18847 medium If the device requesting remote network access fails the network policy assessment tests, then the policy server will communicate with the remote access device (e.g., VPN gateway or RAS) to perform an approved action based on the requirements of this policy. If a device fails the sites approved security policy assessment test, then it may contain compromised data. Using a VLAN to keep trusted and untrusted traffic safe his kept separated while the… V-18844 medium The policy assessment/enforcement device will be configured to use a separate authentication server (e.g., IAS, Active Directory, RADIUS, TACACS+) to perform user authentication. The remote user policy assessment/enforcement device will be installed on a separate host from the authentication server. This device interacts directly with public networks and devices and… v-18843 medium client agent which have been customize with DoD restrict , non – public information or information which may divulge network detail ( e.g. , internal IP range or network host name ) will not be instal on unmanaged , non – government client endpoint such as kiosk and public computer . Unmanaged clients such as partner or contractor-owned devices should not contain restricted government informaiton. V-18842 medium The network access control solution (e.g., NAC appliance, policy server) will provide the capability to implement integrity checking to ensure the client agent itself has not been altered or otherwise compromised. remote access device are often lose or steal . They is represent represent a threat to the enclave if the agent is compromise as this is the datum collection entity in the policy assessment solution . An … V-19149 medium When connected via the public Internet, users will be trained to immediately establish a connection to the DoD network via the VPN client. The DoD architechure is is is extensive and is design to protect the enclave and it ‘s endpoint . When a remote user access the internet directly , this infrastucture is is is not leveraged . All … V-18854 medium After remediation , unmanaged ( non – dod own or control ) endpoint will not be give access to network resource , but will be force to reapply via the network policy assessment server and be reassess for compliance . After initial remediation, unmanaged devices should be tested again prior to authorization and admittance. This will mitigate the risk that the remediation did not completely eliminate the cause… V-21799 medium Do not process, store, or transmit DoD information on public computers (e.g., those available for use by the general public in kiosks or hotel business centers) or computers that do not have access controls. There may be hardware or keyboard capture software which could monitor computer usage and keystroke . Also , these computers is contain may contain virus ‘ and other malicious code which may infect DoD … V-18622 medium The remote access policy will provide separation of traffic based on sensitivity and user trust levels. device authentication must be perform at the perimeter or on a subnet separate from the trust internal enclave . user authentication is ensures ensure the user is authorize for access . However , user … V-19140 medium Ensure remote endpoints that are owned, controlled, and/or managed by DoD for processing or accessing DoD sensitive, non-public assets and comply the requirements. Unmanaged endpoints must be configured according to the organization’s security policy and standards before these devices can be allowed access to even the most non-sensitive areas of the network… v-18833 low Ensure devices failing policy assessment that are not automatically remediated either before or during the remote access session, will be flagged for future manual or automated remediation. Devices not compliant with DoD secure configuration policies will not be permitted to use DoD licensed software.

The device status will be updated on the network and in the HBSS agent. A reminder… V-18834 low During security policy assessment, a procedure will exist that when critical security issues are found that put the network at risk, the remote endpoint will be placed immediately on the “blacklist” and the connection will be terminated. automate and manual procedure for remediation for critical security update will be manage differently . continue to assess and remediate endpoint with risk that could endanger the network … v-18838 low Automated access control solution is validated under the National Information Assurance Partnership (NIAP) Common Criteria as meeting U.S. Government protection requirements. DOD requires that products used for IA be NIAP compliant. V-18750 low ensure remote endpoint policy assessment proceed only after the endpoint attempt remote access has been identify using an approve method such as 802.1x or EAP tunnel within PPP . Trusted computing shoud is require require authentication and authorization of both the user ‘s identity and the identity of the computing device . It is is is possible that an authorized user may be access the … V-18754 low When automated remediation is used, ensure the remote access solution is configured to notify the remote user before proceeding with remediation of the user’s endpoint device. Notification is let will let the user know that installation is in progress and may take a while . This notice is deter may deter the user from disconnect and retry the connection before the remediation is … V-21800 low Where non-DoD information systems are used for processing unclassified emails for the teleworker whose normal duty location in the mobile or telework location (s), the user will have the ability to send and receive digitally encrypted and signed email. DoD Instruction 8510.01, “DoD Information Assurance Certification and Accreditation Process (DIACAP). Users need this capability to read and send digitally signed email and to ensure non-repudiation. V-19145 low user who telework regularly are inform of the requirement to configure home networking router or firewall appliance to implement NAT . Configuring NAT on the network security gateway or firewall will help prevent hosts on the Internet from accessing the DOD teleworker computer directly. V-14751 low Sites allowing contractors, non-DoD entities, or other DoD organization to remotely connect to the enclave will establish written Memorandum of Agreements (MOAs) with the contractor or other orgranization. To provide the maximum level of security for both the DoD network and the remote corporate enterprise , an MOA is need that allow administrative oversight and confiscation of compromise equipment .

V-19139 low Develop a user agreement to be signed by all remote users prior to obtaining access. This agreement may be integrated with the site’s remote access usage training. Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained… V-19383 low ensure that when TLS VPN is used , endpoint that fail “ require ” critical endpoint security check will receive either no access or only limited access . remote endpoint device request TLS portal access will either be disconnect or give limited access as designate by the DAA and system owner if the device fail the authentication or … V-19382 low ensure that device to be used in FIPS – compliant application will use FIPS – compliant function and procedure . It is not enough to enable FIPS encryption. To gain the full security implied by the FIPS standard, the functions and procedures required by the FIPS 140-2 documents must also be implemented. V-19381 low Ensure that prior to purchasing a TLS VPN, the system has the capability to require RSA key establishment. NOTE: TLS 1.0 and later uses the ephemeral Diffie-Hellman key establishment method, but this does not meet the requirements of NIST SP 800-56A. NIST has granted a waiver from this requirement for… V-19831 low ensure the require accreditation documentation ( e.g. DIP ) is keep update . The most critical part is is of a remote access solution is to create a centralized point of access and authentication close to the network edge . This device is manages manage access to network resource on the … V-18846 low Where automated remediation is used for remote access clients, traffic separation will be implemented and authorized and unauthorized network traffic use separate security domains (e.g., Virtual Local Area Networks (VLANs)). A device can pass authentication by presenting valid credentials. However, in a properly configured automated admission access control solution, the device must also be compliant with security… V-19147 low provide teleworker training on good practice for operate a secure network .

Changing the default passwords on the devices helps protect against attackers using these LANs to gain access to the device. List of manufacturer default passwords are widely available on the Internet. V-18841 low Regardless of the type of endpoint used, the communication between the policy enforcement device (e.g., NAC appliance) and the agent must be protected by encryption (e.g., SSL/TLS over HTTP, EAP-TLS, EAP over PPP). Communications between the remote client and the system which makes the decision to allow or terminate access to the network is privileged traffic. Privileged communication should be separated… V-19143 low Remote user agreement will contain a Standard Mandatory Notice and Consent Provision. Lack of user training as evidenced by signed documentation may indicate the users lack understanding of their responsibilities to safeguard the network and be a significant vulnerability to the enclave. V-19148 low When connect to a non – dod own network , remote user are train to either disable the wireless radio or disconnect the network cable when communication is no long need or the VPN is disconnect . Endpoints that are directly connected to public networks are vulnerable to various forms of attack the longer they remain connected. A properly configured VPN adds defense in depth… V-19144 low Train users not to connect remote clients which process sensitive information directly into the broadband modem. If a telework devices connect directly to the teleworker’s ISP, such as plugging the device directly into a cable modem, then the device is directly accessible from the Internet and at high risk… V-25034 low Users must receive training on required topics before they are authorized to access a DoD network via a wireless remote access device. Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized people. Without adequate training… v-25036 low The site physical security policy must include a statement if CMDs with digital cameras (still and video) are permitted or prohibited on or in the DoD facility. wireless client , network , and datum could be compromise if unapproved wireless remote access is used . In most case , unapproved device are not manage and configure as require by the … V-25035 low The site is have must have a Wireless Remote Access Policy sign by the site AO , Commander , Director , or other appropriate authority . wireless client , DoD datum , and the DoD network could be compromise if operational policy for the use of wireless remote access are not document by the site . V-19142 low develop a computer security checklist to be complete and sign by the remote user . This checklist is inform will inform and remind the user of the potential security risk inherent with remote access method . Lack of user training and understanding of responsibilities to safeguard the network are a significant vulnerability to the enclave. Once policies are established, users must be trained to these… V-19146 low train user to configure the home networking router or firewall appliance to protect device on the home network from each other ( isolate ) , the device are logically separate by the appliance or router ( on a different logical segment of the network ) . If a personal firewall on a computer malfunctioned, the appliance or router would still protect the computer from unauthorized network communications from external computers. In some cases, the…