CCI-001941
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
The A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The DBN-6300 must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: High
The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
6 rules found Severity: Medium
When connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
2 rules found Severity: Medium
Nutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
Riverbed Optimization System (RiOS) must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
2 rules found Severity: Medium
Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
1 rule found Severity: Medium
1 rule found Severity: High
The Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
1 rule found Severity: High
The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
2 rules found Severity: High
The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
For accounts using password authentication, the Cisco ISE must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
1 rule found Severity: High
The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
1 rule found Severity: High
AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
1 rule found Severity: High
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
1 rule found Severity: Medium
The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
The Juniper EX switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts.
1 rule found Severity: Medium
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
1 rule found Severity: High
SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.
1 rule found Severity: High
2 rules found Severity: Medium
Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
2 rules found Severity: Medium
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
2 rules found Severity: Medium
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
2 rules found Severity: Medium
The ALG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
1 rule found Severity: Medium
The application must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
2 rules found Severity: High
The Central Log Server must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
The Dell OS10 Switch must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
Dragos must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.
1 rule found Severity: Medium
The operating system must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The operating system must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The HYCU virtual appliance must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The Juniper router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
1 rule found Severity: Medium
SharePoint must use replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
1 rule found Severity: Medium
Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
1 rule found Severity: Medium
1 rule found Severity: Medium
Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
1 rule found Severity: Medium
Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.
1 rule found Severity: Medium
OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The Palo Alto Networks security platform must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
2 rules found Severity: Medium
The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: High
The UEM server must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1 rule found Severity: Medium
The VMM must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.
2 rules found Severity: Low
1 rule found Severity: Medium
The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1 rule found Severity: High
The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1 rule found Severity: Medium
1 rule found Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
1 rule found Severity: Medium
Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
1 rule found Severity: High