If a policy assessment server or service is used as part of an automated access control decision point (for authentication and authorization of unmanaged remote endpoints to the network), the remote access solution must include the minimum required policy assessment checks for unmanaged devices prior to allowing remote access to the network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18836	SRC-NAC-080	SV-20589r3_rule		High

Description
Automated policy assessment must validate the organization's minimum security requirements so entry control decisions do not put the organization at risk because of a compromised remote device. Outdated or disabled security functions on remote endpoints present an immediate threat to the trusted network if allowed entry based solely on the user’s access and authorization, particularly if the user has elevated access or management access to data and systems. The goal of this policy is centralized policy assessment for remote access devices. Each of the checks required in this policy serves to mitigate known risks to the trusted network using the endpoint as an attack vector, thus all must be configured to meet this requirement.

Description

Automated policy assessment must validate the organization's minimum security requirements so entry control decisions do not put the organization at risk because of a compromised remote device. Outdated or disabled security functions on remote endpoints present an immediate threat to the trusted network if allowed entry based solely on the user’s access and authorization, particularly if the user has elevated access or management access to data and systems. The goal of this policy is centralized policy assessment for remote access devices. Each of the checks required in this policy serves to mitigate known risks to the trusted network using the endpoint as an attack vector, thus all must be configured to meet this requirement.

STIG	Date
Remote Access Policy STIG	2016-03-28

Details

Check Text ( C-22571r4_chk )
Review the assessment policies configured on the NAC device to ensure the required checks are included. The required checks are listed below: - Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date - Check host-based firewall is installed, enabled, and up-to-date - Check Host-based IDS (HIDS) is installed, enabled, and up-to-date - Check operating system is at minimum required version and update level - Check for the presence of file-sharing and peer-to-peer applications - Scan for known and unknown (zero-day) virus outbreaks If the remote access policy assessment solution does not include checks for all of the minimum required checks above, this is a finding.

Check Text ( C-22571r4_chk )

Review the assessment policies configured on the NAC device to ensure the required checks are included. The required checks are listed below:

- Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date
- Check host-based firewall is installed, enabled, and up-to-date
- Check Host-based IDS (HIDS) is installed, enabled, and up-to-date
- Check operating system is at minimum required version and update level
- Check for the presence of file-sharing and peer-to-peer applications
- Scan for known and unknown (zero-day) virus outbreaks

If the remote access policy assessment solution does not include checks for all of the minimum required checks above, this is a finding.

Fix Text (F-19508r4_fix)
Configure the assessment policy for the NAC device to scan remote endpoints prior to connection to an organization's network. The following are a minimum set of required checks: - Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date - Check host-based firewall is installed, enabled, and up-to-date - Check Host-based IDS (HIDS) is installed, enabled, and up-to-date - Check operating system is at minimum required version and update level - Check for the presence of file-sharing and peer-to-peer applications - Scan for known and unknown (zero-day) virus outbreaks

Fix Text (F-19508r4_fix)

Configure the assessment policy for the NAC device to scan remote endpoints prior to connection to an organization's network. The following are a minimum set of required checks:

- Check anti-virus software is installed, enabled, and virus signatures and scan engine are up-to-date
- Check host-based firewall is installed, enabled, and up-to-date
- Check Host-based IDS (HIDS) is installed, enabled, and up-to-date
- Check operating system is at minimum required version and update level
- Check for the presence of file-sharing and peer-to-peer applications
- Scan for known and unknown (zero-day) virus outbreaks