Unnecessary/unused remote control/management/configuration protocols are not disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17702	RTS-VTC 3130.00	SV-18876r1_rule	DCBP-1 ECSC-1	Medium

Description
Management or other protocols, secure or not, that are not required or used for management of, or access to, a device in a given implementation, but are active and available for a connection, places the device at risk of compromise and unauthorized access. These protocols must be disabled or turned off.

STIG	Date
Video Services Policy STIG	2020-02-25

Details

Check Text ( C-18972r1_chk )
[IP]; Interview the IAO and validate compliance with the following requirement: Ensure remote access ports, protocols, and services used for VTC system/device “Remote Control/Management/Configuration” are disabled, turned off, or removed if not required in the specific implementation of the device. Determine what ports, protocols, and services are required for in the specific implementation of the device. Have the SA demonstrate the device configuration regarding these protocols or independently validate that only the required ports, protocols, and services are active. Validation can be performed by performing a scan of the network and management interface of the system/device. This is a finding if it is determined that there are ports, protocols, and services active that are not needed for the specific implementation of the device.

Check Text ( C-18972r1_chk )

[IP]; Interview the IAO and validate compliance with the following requirement:

Ensure remote access ports, protocols, and services used for VTC system/device “Remote Control/Management/Configuration” are disabled, turned off, or removed if not required in the specific implementation of the device.

Determine what ports, protocols, and services are required for in the specific implementation of the device. Have the SA demonstrate the device configuration regarding these protocols or independently validate that only the required ports, protocols, and services are active. Validation can be performed by performing a scan of the network and management interface of the system/device. This is a finding if it is determined that there are ports, protocols, and services active that are not needed for the specific implementation of the device.

Fix Text (F-17599r1_fix)
[IP]; Perform the following tasks: Configure the VTC system/device such that unused or unneeded ports, protocols, and services are disabled or removed from the system.