Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Identification and authentication techniques used in the establishment of non-local maintenance and diagnostic sessions must be consistent with the network access requirements in IA-2. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric.
Examples of types of applications used for non-local maintenance and diagnostic activities are provided below. Use as an example does not imply compliance with policy requirements or approval for use. Examples include, but are not limited to Terminal Services, Remote Desktop, Dameware, and VNC (all variants).
If non-local maintenance and diagnostic sessions are performed without the use of a strong authenticator bound to the user, the user’s identity cannot be trusted. This can result in unauthenticated access to maintenance administrator functionality. |