Back

Disable Routing and Remote Access unless Routing and Remote Access use is necessary.


CONTROL ID
01824
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • NetWare 6.5 can be set to act as a router with full routing capabilities. Routing should be disabled unless the server is being used to route network traffic. The routing capabilities are disabled by default. The following routing options should be disabled: IP Packet Forwarding, RIP, and OSPF. (§ 7.13, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • The Routing and Remote Access service is used to allow computers from different networks to interact with each other. This service is usually not needed on workstations. It should be Disabled. The permissions on this service should also be Administrator: Full Control; System: Read, Start, Stop, and … (§ 4.1.11, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • This service is used to allow computers from one network to interact with computers on another network. This service should be Disabled. If you cannot disable it, lock it down as much as possible. For more information, visit http://www.microsoft.com/TechNet/columns/cableguy/cg0601.asp. (§ 4.1.11, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • The organization must only enable Routing and Remote Access if absolutely necessary. RRAS is not fully implemented on Windows XP Professional like it is in the server operating systems. Users generally don't need RRAS on workstations. If this service can not be disabled, it should be locked down as … (§ 4.1.1.15, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Do not give remote access to the database unless the communication is encrypted and the access is necessary. (§ 3-10, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • Table F-1: For Windows 2000 Server, the organization must configure the permissions for Routing and Remote Access to Administrators: Full Control; System: Read; and System: Start, Stop, and Pause. Table F-3: For Windows 2000 Professional, the organization must configure the permissions for Routing a… (Table F-1, Table F-3, Table F-4, CMS Business Partners Systems Security Manual, Rev. 10)
  • Broadband or high-speed connections used for Remote Access, Mobile Access and Telework, introduces a greater risk of an attack compared to dial-up connections since users are connected for much longer periods and these connections often use static IP addresses provided by Internet Service Providers … (§ 2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • The Routing and Remote Access service should be disabled. The service should be documented if enabling it is required. (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Routing and Remote Access service should be Disabled, unless absolutely necessary. If it is Enabled, there should be a documented and justified reason. (§ 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • For all Windows XP environments, this service should be Disabled. (§ 6.5, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • States that this service provides routing services for LAN to LAN, LAN to WAN, VPN, dial-up, and VPN access services. The Routing and Remote Access service should be Disabled. (Pg 69, NSA Guide to Security Microsoft Windows XP)
  • Set routing policies/configuration. The defaultrouter file is used to provide a default network route for the machine and set up static routing. (§ 4.8, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)