Back

Configure network protection settings to organizational standards.


CONTROL ID
07601
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the "CNI" plugin to organizational standards., CC ID: 14659
  • Configure the "data-path-addr" argument to organizational standards., CC ID: 14546
  • Configure the "advertise-addr" argument to organizational standards., CC ID: 14544
  • Configure the "nftables" to organizational standards., CC ID: 15320
  • Configure the "iptables" to organizational standards., CC ID: 14463
  • Configure the "insecure registries" to organizational standards., CC ID: 14455
  • Configure the "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to organizational standards., CC ID: 07602
  • Configure the "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to organizational standards., CC ID: 07648
  • Configure the "net-host" argument to organizational standards., CC ID: 14529
  • Configure the "firewalld" to organizational standards., CC ID: 15321
  • Configure the "network bridge" to organizational standards., CC ID: 14501
  • Configure the "Windows Firewall: Domain: Firewall state" to organizational standards., CC ID: 07667
  • Configure the "MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)" to organizational standards., CC ID: 07680
  • Configure the "Windows Firewall: Public: Outbound connections" to organizational standards., CC ID: 07695
  • Configure the "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic." to organizational standards, CC ID: 07703
  • Configure the "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" to organizational standards., CC ID: 07733
  • Configure the "publish" argument to organizational standards., CC ID: 14500
  • Configure the "Windows Firewall: Private: Inbound connections" to organizational standards., CC ID: 07747
  • Configure the "Windows Firewall: Private: Apply local firewall rules" to organizational standards., CC ID: 07777
  • Configure the "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to organizational standards., CC ID: 07801
  • Configure the "Windows Firewall: Private: Firewall state" to organizational standards., CC ID: 07803
  • Configure the "Windows Firewall: Domain: Apply local connection security rules" to organizational standards., CC ID: 07805
  • Configure the "Windows Firewall: Domain: Apply local firewall rules" to organizational standards., CC ID: 07833
  • Configure the "Windows Firewall: Public: Display a notification" to organizational standards., CC ID: 07836
  • Configure the "Windows Firewall: Domain: Outbound connections" to organizational standards., CC ID: 07839
  • Configure the "Windows Firewall: Public: Apply local firewall rules" to organizational standards., CC ID: 07850
  • Configure the "Windows Firewall: Domain: Inbound connections" to organizational standards., CC ID: 07851
  • Configure the "Windows Firewall: Private: Outbound connections" to organizational standards., CC ID: 07858
  • Configure the "Windows Firewall: Public: Firewall state" to organizational standards., CC ID: 07861
  • Configure the "Windows Firewall: Domain: Display a notification" to organizational standards., CC ID: 07868
  • Configure the "Windows Firewall: Public: Inbound connections" to organizational standards., CC ID: 07872
  • Configure the "Windows Firewall: Public: Allow unicast response" to organizational standards., CC ID: 07873
  • Configure the "Windows Firewall: Private: Allow unicast response" to organizational standards., CC ID: 07885
  • Configure the "Windows Firewall: Public: Apply local connection security rules" to organizational standards., CC ID: 07890
  • Configure the "Windows Firewall: Domain: Allow unicast response" to organizational standards., CC ID: 07893
  • Configure the "Windows Firewall: Private: Apply local connection security rules" to organizational standards., CC ID: 07896
  • Configure the "Windows Firewall: Private: Display a notification" to organizational standards., CC ID: 07902
  • Configure the "Windows Firewall: Protect all network connections" to organizational standards., CC ID: 08161
  • Configure the "Windows Firewall: Allow inbound UPnP framework exceptions" to organizational standards., CC ID: 08170
  • Configure the "Windows Firewall: Allow local program exceptions" to organizational standards., CC ID: 08173
  • Configure the "Windows Firewall: Do not allow exceptions" to organizational standards., CC ID: 08184
  • Configure the "MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)" to organizational standards., CC ID: 08208
  • Configure the "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" to organizational standards., CC ID: 08210
  • Configure the "Windows Firewall: Allow local port exceptions" to organizational standards., CC ID: 08214
  • Configure the "Windows Firewall: Define inbound port exceptions" to organizational standards., CC ID: 08215
  • Configure the "Windows Firewall: Prohibit unicast response to multicast or broadcast requests" to organizational standards., CC ID: 08217
  • Configure the "Windows Firewall: Prohibit notifications" to organizational standards., CC ID: 08249
  • Configure the "Windows Firewall: Allow inbound file and printer sharing exception" to organizational standards., CC ID: 08275
  • Configure the "MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" to organizational standards., CC ID: 08279
  • Configure the "Windows Firewall: Define inbound program exceptions" to organizational standards., CC ID: 08282
  • Configure the "Windows Firewall: Allow ICMP exceptions" to organizational standards., CC ID: 08289
  • Configure the "Windows Firewall: Allow inbound Remote Desktop exceptions" to organizational standards., CC ID: 08295
  • Configure the "Allow unencrypted traffic" to organizational standards., CC ID: 08383
  • Configure the "Windows Firewall: Private: Logging: Log successful connections" to organizational standards., CC ID: 08466
  • Configure the "Windows Firewall: Public: Logging: Size limit (KB)" to organizational standards., CC ID: 08494
  • Configure the "Windows Firewall: Domain: Logging: Log successful connections" to organizational standards., CC ID: 08544
  • Configure the "Windows Firewall: Private: Logging: Name" to organizational standards., CC ID: 08595


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If an unauthorized change is detected to the software, the device should alert the user and/or administrator to the issue and should not connect to wider networks than those necessary to perform the alerting function. (Provision 5.7-2, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Wireless use control may be implemented in different devices that make up the system. Network devices may be one of the devices that assist with use control through controls such as network admission control. For devices and applications that utilize wireless networks those devices should be able to… (6.4.2 ΒΆ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)