Inbound exceptions to the firewall on domain workstations must only allow authorized management systems and remote management hosts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17395	5.407	SV-18451r2_rule	ECSC-1	Low

Description
Allowing inbound access to domain workstations from other systems may allow lateral movement across systems if credentials are compromised. Limiting inbound connections only from authorized management systems and remote management hosts will help limit this exposure.

STIG	Date
Windows XP Security Technical Implementation Guide	2013-03-14

Details

Check Text ( C-45421r1_chk )
If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings\ Value Name: Enabled Type: REG_DWORD Value: 1 Value Name: RemoteAddresses Type: REG_SZ Value: "IP address / subnet defined in the domain firewall policy" This must limit connections to only those from authorized management systems and remote management hosts. If the value specified does not limit connections to authorized management systems or remote management hosts, this is a finding. If the system is not a member of a domain, the Domain Profile requirements can be marked NA. If a third-party firewall is used, verify a comparable setting has been implemented. The Remote Endpoint STIG contains additional firewall requirements for systems used remotely.

Check Text ( C-45421r1_chk )

If the following registry values do not exist or are not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings\

Value Name: Enabled
Type: REG_DWORD
Value: 1

Value Name: RemoteAddresses
Type: REG_SZ
Value: "IP address / subnet defined in the domain firewall policy" This must limit connections to only those from authorized management systems and remote management hosts.

If the value specified does not limit connections to authorized management systems or remote management hosts, this is a finding.

If the system is not a member of a domain, the Domain Profile requirements can be marked NA.

If a third-party firewall is used, verify a comparable setting has been implemented.

The Remote Endpoint STIG contains additional firewall requirements for systems used remotely.

Fix Text (F-40986r3_fix)
Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Allow remote administration exception" to "Enabled" with IP addresses or subnets that limit connections to only authorized management systems and remote management hosts. Configure a comparable setting if a third-party firewall is used.

Fix Text (F-40986r3_fix)

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile "Windows Firewall: Allow remote administration exception" to "Enabled" with IP addresses or subnets that limit connections to only authorized management systems and remote management hosts.

Configure a comparable setting if a third-party firewall is used.