Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3175 | NET1636 | SV-28748r3_rule | ECSC-1 | High |
Description |
---|
Network devices with no password for administrative access via a management connection provide the opportunity for anyone with network access to the device to make configuration changes enabling them to disrupt network operations resulting in a network outage. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Juniper | 2017-12-07 |
Check Text ( C-29085r4_chk ) |
---|
Review the network device configuration to verify all management connections for administrative access require authentication. With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. Following is an example: [edit system] authentication-order [ radius password ]; radius-server { 192.168.6.5 { secret "xxxxxxx"; } } login { /* login classes */ class tier1 { idle-timeout 10; permissions all; } class tier2 { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } /* local emgergency account */ user admin { full-name Administrator; uid 2000; class tier1; authentication { encrypted-password "xxxx"; # SECRET-DATA } } /* RADIUS templates */ user tier1 { uid 2001; class tier1; } user tier2 { uid 2002; class tier2; } } Note: When SSH is enabled, all users can use this service to access the router---including the root account. Access to the root account via SSH must be disabled via root-login deny command. Following is an example configuration: [edit system] services { ssh { root-login deny; |
Fix Text (F-3200r3_fix) |
---|
Configure authentication for all management connections. |