Inadequate “operator/facilitator/administrator” access control for remote monitoring of a VTU connected to an IP network.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-17600 | RTS-VTC 1162.00 | SV-18727r1_rule | DCBP-1 ECSC-1 IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Activation and use of remote monitoring and control features such as those discussed here and in RTS-VTC 1160.00 must be protected by access control. Minimally this must be the administrator password; however, access to this feature should not give full administrator access. |
| STIG | Date |
|---|---|
| Video Services Policy STIG | 2020-02-25 |
Details
| Check Text ( C-18900r1_chk ) |
|---|
| [IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU is connected to an IP network ensure access to IP remote monitoring and associated control functions of the VTU is minimally protected by a password. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to have a password set in order to access remote monitoring features. Verify that an administrator password is required to access remotely accessible VTU. Have the IAO or SA demonstrate compliance with the requirement. |
| Fix Text (F-17518r1_fix) |
|---|
| [IP]; Perform the following tasks: If IP remote monitoring is activated, configure the VTU to require a password before permitting access to the remote monitoring and associated control functions. |