Back

Establish, implement, and maintain network parameter modification procedures.


CONTROL ID
01517
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the IPsec security association lifetime to organizational standards., CC ID: 16508
  • Configure route filtering to organizational standards., CC ID: 16359
  • Configure security gateways to organizational standards., CC ID: 16352
  • Configure network elements to organizational standards., CC ID: 16361
  • Configure routing tables to organizational standards., CC ID: 15438
  • Configure "NetBT NodeType configuration" to organizational standards., CC ID: 15383
  • Configure "Allow remote server management through WinRM" to organizational standards., CC ID: 15364
  • Configure "Allow network connectivity during connected-standby (on battery)" to organizational standards., CC ID: 15342
  • Configure BOOTP queries to be accepted or denied by the DHCP Server, as appropriate., CC ID: 06040
  • Enable TCP wrappers., CC ID: 01567
  • Configure devices to block or avoid outbound connections., CC ID: 04807
  • Configure devices to deny inbound connections., CC ID: 04805
  • Review and restrict network addresses and network protocols., CC ID: 01518
  • Disable the XDMCP port., CC ID: 01563
  • Prevent syslog from accepting messages from the network., CC ID: 01562
  • Prevent X server from listening on port 6000/tcp., CC ID: 01565
  • Configure the Intrusion Detection System and the Intrusion Prevention System to accept the organizational vulnerability scanning host or vendor's originating IP address., CC ID: 01645
  • Configure the "Network access: Allow anonymous SID/Name translation" setting to organizational standards., CC ID: 01717
  • Configure the "Network access: Do not allow anonymous enumeration of SAM accounts" setting., CC ID: 01718
  • Configure the "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting., CC ID: 01719
  • Enable Data Execution Protection for all applications., CC ID: 01720
  • Enable digital encryption or digital signatures of secure channel data., CC ID: 01736
  • Enable digital signatures of communications using the Server Message Block protocol., CC ID: 01762
  • Configure the "Microsoft network client: Send unencrypted password to connect to third-party SMB servers" setting., CC ID: 01764
  • Configure the amount of idle time required before disconnecting an idle session., CC ID: 01763
  • Enable the disconnect clients setting (server) or force logoff setting (client) if the account's allotted logon period expire., CC ID: 01765
  • Configure the "Network access: Do not allow storage of credentials or .NET Passports for network authentication" setting., CC ID: 01766
  • Configure the "Network access: Let Everyone permissions apply to anonymous users" setting., CC ID: 01767
  • Configure the "Network access: Named pipes that can be accessed anonymously" setting., CC ID: 01768
  • Configure the "Network access: Remotely accessible registry paths" setting., CC ID: 01769
  • Configure the "Network access: Sharing and security model for local accounts" setting., CC ID: 01771
  • Configure the "Network security: Do not store LAN Manager hash value on next password change" setting., CC ID: 01772
  • Configure the "Network security: LAN Manager authentication level" setting., CC ID: 01773
  • Configure the "Network security: LDAP client signing requirements" setting., CC ID: 01774
  • Configure Lightweight Directory Access Protocol connections for security., CC ID: 04451
  • Configure the least session security for NT LM Security Support Provider based clients (including secure RPC) and servers settings., CC ID: 01775
  • Enable the LDAP cache manager as necessary., CC ID: 01460
  • Configure firewalls in accordance with organizational standards., CC ID: 01926
  • Disable Internet Connection Sharing., CC ID: 02035
  • Disable anonymous DDP., CC ID: 02193
  • Configure the "Set client connection encryption level" setting., CC ID: 04321
  • Configure the "Network access: Restrict anonymous access to named pipes and shares" setting to organizational standards., CC ID: 04381
  • Configure the "Intranet Sites: Include all network paths (UNCs)" setting., CC ID: 04414
  • Configure RConsoleJ in NetWare., CC ID: 04460
  • Configure Secure Console in NetWare., CC ID: 04461
  • Disable Universal Description, Discovery, and Integration., CC ID: 04466
  • Enable encryption for connections that transfer restricted data over HyperText Transfer Protocol., CC ID: 04473
  • Use HyperText Transfer Protocol Secure to protect authenticators or other restricted data or restricted information., CC ID: 04474
  • Configure Windows Messenger to prevent access to the internet., CC ID: 04518
  • Configure the "Always wait for the network at computer startup and logon" setting to organizational standards., CC ID: 04519
  • Do not Configure anonymous File Transfer Protocol on computers located inside a defined security perimeter., CC ID: 04527
  • Create an access control list on Network Access and Control Points to restrict access., CC ID: 04810
  • Configure Print Services to use port 9100 and/or port 515., CC ID: 04811
  • Configure the SSH server in accordance with organizational standards., CC ID: 04843
  • Configure Network Time Protocol., CC ID: 04844
  • Configure multicasting., CC ID: 04845
  • Set the apache2 server's ServerTokens value properly., CC ID: 05720
  • Set the apache2 server's ServerSignature value properly., CC ID: 05721
  • Configure "Configuration of wireless settings using Windows Connect Now" to organizational standards., CC ID: 05722
  • Configure X11 forwarding via Secure Shell, as appropriate., CC ID: 05723
  • Enable the NIS passwd daemon as necessary., CC ID: 05725
  • Enable the NIS update daemon as necessary., CC ID: 05726
  • Enable the NIS xfr daemon as necessary., CC ID: 05727
  • Enable or disable strict destination multihoming, as appropriate., CC ID: 05728
  • Enable or disable IPv4 strict multihoming, as appropriate., CC ID: 05729
  • Enable the appropriate tunneling protocol for Internet Protocol version 6., CC ID: 05730
  • Enable or disable the automatic loading of the IPv6 kernel module, as appropriate., CC ID: 05731
  • Configure the router advertisements settings to organizational standards., CC ID: 05732
  • Configure IPv6 privacy extensions properly., CC ID: 05733
  • Set the default number of global unicast IPv6 addresses allowed per network interface properly., CC ID: 05734
  • Set the default number of IPv6 router solicitations for network interfaces to send properly., CC ID: 05735
  • Set the default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured network address properly., CC ID: 05736
  • Enable or disable IPv6 strict multihoming, as appropriate., CC ID: 05737
  • Enable or disable IP routing, as appropriate., CC ID: 05738
  • Enable or disable reverse source routed packets, as appropriate., CC ID: 05739
  • Restrict packet forwarding, as appropriate., CC ID: 05740
  • Set unestablished TCP connection queues and established TCP connection queues properly., CC ID: 05741
  • Enable or disable the LDAP dynamic updates feature, as appropriate., CC ID: 05742
  • Configure the "Prohibit use of Internet Connection Firewall on your DNS domain network" setting properly., CC ID: 05743
  • Enable or disable printing services through inetd, as appropriate., CC ID: 05744
  • Enable or disable firewall access to printing services, as appropriate., CC ID: 05745
  • Set the Secure Shell largest number for authentication retries., CC ID: 05749
  • Configure the "Server SPN target name validation level" properly., CC ID: 06067
  • Configure the "Allow Local System NULL session fallback" setting properly., CC ID: 06068
  • Configure the "Restrict NTLM" settings properly., CC ID: 06069
  • Configure the "Allow Local System to use computer identity for NTLM" setting properly., CC ID: 06070
  • Configure the "Configure encryption types allowed for Kerberos" setting properly., CC ID: 06071
  • Configure the "Allow PKU2U authentication requests to this computer to use online identities" setting properly., CC ID: 06072
  • Configure wireless communication to be encrypted using strong cryptography., CC ID: 06078
  • Reserve the use of VLAN1 to in-band management., CC ID: 06413
  • Disallow Internet Protocol (IP) directed broadcasts., CC ID: 06571
  • Configure the "source-routed packets" setting to organizational standards., CC ID: 08977
  • Disable feedback on protocol format validation errors., CC ID: 10646
  • Configure the "6to4 Relay Name" setting to organizational standards., CC ID: 10688
  • Configure the "6to4 Relay Name Resolution Interval" setting to organizational standards., CC ID: 10689
  • Configure the "6to4 State" setting to organizational standards., CC ID: 10690
  • Configure the "Automated Site Coverage by the DC Locator DNS SRV Records" setting to organizational standards., CC ID: 10759
  • Configure the "Best effort service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that conform to the flow specification" setting to organizational standards., CC ID: 10764
  • Configure the "Best effort service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that do not conform to the flow specification" setting to organizational standards., CC ID: 10765
  • Configure the "Best effort service type link layer (Layer-2) priority value" setting to organizational standards., CC ID: 10766
  • Configure the "BranchCache for network files" setting to organizational standards., CC ID: 10776
  • Configure the "Network Options preference logging and tracing" setting to organizational standards., CC ID: 10796
  • Configure the "Network Shares preference logging and tracing" setting to organizational standards., CC ID: 10797
  • Configure the "slow-link mode" setting to organizational standards., CC ID: 10820
  • Configure the "Controlled load service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that conform to the flow specification" setting to organizational standards., CC ID: 10826
  • Configure the "Controlled load service type Layer-3 Differentiated Services Code Point (DSCP) for packets that do not conform to the flow specification" setting to organizational standards., CC ID: 10827
  • Configure the "Controlled load service type link layer (Layer-2) priority value" setting to organizational standards., CC ID: 10828
  • Configure the "Corporate DNS Probe Host Address" setting to organizational standards., CC ID: 10829
  • Configure the "Corporate DNS Probe Host Name" setting to organizational standards., CC ID: 10830
  • Configure the "Corporate Site Prefix List" setting to organizational standards., CC ID: 10831
  • Configure the "Corporate Website Probe URL" setting to organizational standards., CC ID: 10832
  • Configure the "DC Locator DNS records not registered by the DCs" setting to organizational standards., CC ID: 10838
  • Configure the "DNS Suffix Search List" setting to organizational standards., CC ID: 10890
  • Configure the "Do not detect slow network connections" setting to organizational standards., CC ID: 10926
  • Configure the "Do not show the "local access only" network icon" setting to organizational standards., CC ID: 10936
  • Configure the "Dynamic Registration of the DC Locator DNS Records" setting to organizational standards., CC ID: 10943
  • Configure the "Group Policy slow link detection" setting to organizational standards., CC ID: 10982
  • Configure the "Guaranteed service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that conform to the flow specification" setting to organizational standards., CC ID: 10983
  • Configure the "Guaranteed service type Layer-3 Differentiated Services Code Point for packets that do not conform to the flow specification" setting to organizational standards., CC ID: 10984
  • Configure the "Guaranteed service type link layer (Layer-2) priority value" setting to organizational standards., CC ID: 10985
  • Configure the "Limit the maximum network bandwidth used for Peercaching" setting to organizational standards., CC ID: 11017
  • Configure the "Location of the DCs hosting a domain with single label DNS name" setting to organizational standards., CC ID: 11024
  • Configure the "Minimum Idle Connection Timeout for RPC/HTTP connections" setting to organizational standards., CC ID: 11046
  • Configure the "Network control service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that conform to the flow specification" setting to organizational standards., CC ID: 11049
  • Configure the "Network control service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that do not conform to the flow specification" setting to organizational standards., CC ID: 11050
  • Configure the "Network control service type link layer (Layer-2) priority value" setting to organizational standards., CC ID: 11051
  • Configure the "Network Projector Port Setting" setting to organizational standards., CC ID: 11052
  • Configure the "Override the More Gadgets link" setting to organizational standards., CC ID: 11060
  • Configure the "Prevent backing up to network location" setting to organizational standards., CC ID: 11070
  • Configure the "Primary DNS Suffix" setting to organizational standards., CC ID: 11094
  • Configure the "Primary DNS Suffix Devolution" setting to organizational standards., CC ID: 11095
  • Configure the "Priority Set in the DC Locator DNS SRV Records" setting to organizational standards., CC ID: 11099
  • Configure the "Prohibit installation and configuration of Network Bridge on your DNS domain network" setting to organizational standards., CC ID: 11102
  • Configure the "Prompt user when a slow network connection is detected" setting to organizational standards., CC ID: 11109
  • Configure the "Qualitative service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that conform to the flow specification" setting to organizational standards., CC ID: 11113
  • Configure the "Qualitative service type Layer-3 Differentiated Services Code Point (DSCP) value for packets that do not conform to the flow specification" setting to organizational standards., CC ID: 11114
  • Configure the "Qualitative service type link layer (Layer-2) priority value" setting to organizational standards., CC ID: 11115
  • Configure the "Refresh Interval of the DC Locator DNS Records" setting to organizational standards., CC ID: 11119
  • Configure the "Register DNS records with connection-specific DNS suffix" setting to organizational standards., CC ID: 11120
  • Configure the "Require domain users to elevate when setting a network's location" setting to organizational standards., CC ID: 11133
  • Configure the "Route all traffic through the internal network" setting to organizational standards., CC ID: 11149
  • Configure the "Set a support web page link" setting to organizational standards., CC ID: 11171
  • Configure the "Set PNRP cloud to resolve only" setting for "IPv6 Link Local" to organizational standards., CC ID: 11179
  • Configure the "Set the Seed Server" setting for "IPv6 Link Local" to organizational standards., CC ID: 11190
  • Configure the "Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers" setting to organizational standards., CC ID: 11197
  • Configure the "Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers" setting to organizational standards., CC ID: 11198
  • Configure the "Sites Covered by the Application Directory Partition Locator DNS SRV Records" setting to organizational standards., CC ID: 11202
  • Configure the "Sites Covered by the DC Locator DNS SRV Records" setting to organizational standards., CC ID: 11203
  • Configure the "Sites Covered by the GC Locator DNS SRV Records" setting to organizational standards., CC ID: 11204
  • Configure the "Slow network connection timeout for user profiles" setting to organizational standards., CC ID: 11205
  • Configure the "TTL Set in the DC Locator DNS Records" setting to organizational standards., CC ID: 11252
  • Configure the "Turn off Connect to a Network Projector" setting to organizational standards., CC ID: 11272
  • Configure the "Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com" setting to organizational standards., CC ID: 11283
  • Configure the "Turn off Microsoft Peer-to-Peer Networking Services" setting to organizational standards., CC ID: 11289
  • Configure the "Turn off Multicast Bootstrap" setting for "IPv6 Link Local" to organizational standards., CC ID: 11291
  • Configure the "Turn off PNRP cloud creation" setting for "IPv6 Link Local" to organizational standards., CC ID: 11299
  • Configure the "Turn off Registration if URL connection is referring to Microsoft.com" setting to organizational standards., CC ID: 11305
  • Configure the "Turn off Windows Network Connectivity Status Indicator active tests" setting to organizational standards., CC ID: 11328
  • Configure the "Weight Set in the DC Locator DNS SRV Records" setting to organizational standards., CC ID: 11371


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Set appropriate network parameter modifications. (§ 4.2, The Center for Internet Security AIX Benchmark, 1.0.1)
  • Set appropriate network parameter modifications. (§ 4.2, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • Set appropriate network parameter modifications. (§ 4.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Set appropriate network parameter modifications. (§ 4.1, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Set appropriate network parameter modifications. (§ 4.1, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • Set appropriate network parameter modifications. (§ 3.5, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Set appropriate network parameter modifications. (§ 4.4, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Set appropriate network parameter modifications. (§ 4.1, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated. (1.2.7.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine network configuration settings to identify changes made to configurations of NSCs. Interview responsible personnel and examine change control records to verify that identified changes to configurations of NSCs were approved and managed in accordance with Requirement 6.5.1. (1.2.2.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Network devices should be subject to standard security management practices, which includes applying a comprehensive set of management tools (e.g., maintenance utilities, remote support, and enterprise management tools). (CF.09.01.03c, The Standard of Good Practice for Information Security)
  • Information Systems and networks accessible by external connections should be designed to achieve technical compatibility (e.g., using standards for information formats and communications protocols). (CF.09.03.02a, The Standard of Good Practice for Information Security)
  • Filtering of network traffic should be based on predefined rules (or tables) that have been developed by trusted individuals. (CF.09.04.07a, The Standard of Good Practice for Information Security)
  • Network devices should be subject to standard security management practices, which includes applying a comprehensive set of management tools (e.g., maintenance utilities, remote support, and enterprise management tools). (CF.09.01.03c, The Standard of Good Practice for Information Security, 2013)
  • Information Systems and networks accessible by external connections should be designed to achieve technical compatibility (e.g., using standards for information formats and communications protocols). (CF.09.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Filtering of network traffic should be based on predefined rules (or tables) that have been developed by trusted individuals. (CF.09.04.07a, The Standard of Good Practice for Information Security, 2013)
  • By ensuring the proper configuration of network parameters, the system can aid in the defense against attacks. The system administrator should ensure network parameters are securely set. (§ 3.20.5, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • The information assurance officer or network security officer must ensure Mandatory Access Control addresses are statically configured for all access ports that use Mandatory Access Control filtering for logical port security. (§ 3.4.1.3.2 ¶ AC34.030, DISA Access Control STIG, Version 2, Release 3)
  • The operating system must not allow users the ability to change security settings without prior approval. (§ 5.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Modify network parameters. The S69netconfig script will be executed at boot time to reconfigure various network parameters. (§ 4.4, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)