Ensure remote access for privileged tasks such as network devices, host, or application administration is compliant.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19834	SRC-RAP-050	SV-21997r1_rule		High

Description
If remote access is used to connect to a network or host for privileged access, stringent security controls will be implemented. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

Description

If remote access is used to connect to a network or host for privileged access, stringent security controls will be implemented. AAA network security services provide the primary framework through which a network administrator can set up access control and authorization on network points of entry or network access servers It is not advisable to configure access control on the VPN gateway or remote access server. Separation of services provides added assurance to the network if the access control server is compromised.

STIG	Date
Remote Access Policy STIG	2016-03-28

Details

Check Text ( C-22223r1_chk )
View the configuration of the the RAS and/or remote VPN gateway. Verify that a AAA (authentication) server is required for privileged access to the remote access device by reviewing the authentication screen. Verify that the configuration requires the following: 1. Multi-factor authentication (e.g., PKI, SecureID, or DoD Alternate Token) using a AAA server; 2. Identification and personal authentication uses individually assigned accounts rather than group or shared accounts or authenticators; and 3. . Encryption using FIPS 140-2 compliant algorithms and encryption modules - (e.g., AES). Also verify that a network review has been performed using the Network Infrastructure STIG and the architecture complies with the In- and Out-of-band requirements of the appropriate Network Infrastructure STIG.

Check Text ( C-22223r1_chk )

View the configuration of the the RAS and/or remote VPN gateway. Verify that a AAA (authentication) server is required for privileged access to the remote access device by reviewing the authentication screen.

Verify that the configuration requires the following:
1. Multi-factor authentication (e.g., PKI, SecureID, or DoD Alternate Token) using a AAA server;
2. Identification and personal authentication uses individually assigned accounts rather than group or shared accounts or authenticators; and
3. . Encryption using FIPS 140-2 compliant algorithms and encryption modules - (e.g., AES).

Also verify that a network review has been performed using the Network Infrastructure STIG and the architecture
complies with the In- and Out-of-band requirements of the appropriate Network Infrastructure STIG.

Fix Text (F-20517r1_fix)
The remote access administrator will configure the remote access or VPN server to use the TACACS+, Radius or Diameter server for administrative access.