Skip to content
ATO Pathways
  Log In

CCI-001942

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Logo
1

Rule

Severity: Medium
The ALG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
The application must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
The CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
CounterACT, when providing user authentication intermediary services, must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
Logo
1

Rule

Severity: Medium
IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Logo
1

Rule

Severity: Medium
IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
Logo
1

Rule

Severity: Medium
The DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.
Logo
2

Rule

Severity: Medium
The built-in DNS client must be disabled.
Logo
1

Rule

Severity: Medium
Nutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.
Logo
1

Rule

Severity: Medium
Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
Logo
1

Rule

Severity: Medium
The UEM server must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
The IPsec VPN Gateway must use anti-replay mechanisms for security associations.
Logo
1

Rule

Severity: High
The macOS system must disable the SSHD service.
Logo
1

Rule

Severity: Medium
The macOS system must enable SSH server for remote access sessions.
Logo
1

Rule

Severity: High
The Ubuntu operating system must enforce SSHv2 for network access to all accounts.
Logo
1

Rule

Severity: Medium
The container platform must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Medium
The operating system must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
2

Rule

Severity: High
AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Logo
2

Rule

Severity: Medium
Kerberos user logon restrictions must be enforced.
Logo
2

Rule

Severity: Medium
The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
Logo
2

Rule

Severity: Medium
The Kerberos user ticket lifetime must be limited to 10 hours or less.
Logo
2

Rule

Severity: Medium
The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
Logo
2

Rule

Severity: Medium
The computer clock synchronization tolerance must be limited to 5 minutes or less.
Logo
3

Rule

Severity: Medium
Windows Server 2019 Kerberos user logon restrictions must be enforced.
Logo
3

Rule

Severity: Medium
Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
Logo
3

Rule

Severity: Medium
Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
Logo
3

Rule

Severity: Medium
Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
Logo
3

Rule

Severity: Medium
Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
Logo
3

Rule

Severity: Medium
Windows Server 2022 Kerberos user logon restrictions must be enforced.
Logo
3

Rule

Severity: Medium
Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
Logo
3

Rule

Severity: Medium
Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.
Logo
3

Rule

Severity: Medium
Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
Logo
3

Rule

Severity: Medium
Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.
Logo
2

Rule

Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Logo
1

Rule

Severity: Medium
RHEL 9 must use the CAC smart card driver.
Logo
2

Rule

Severity: Medium
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
Logo
1

Rule

Severity: Medium
The VMM must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
Logo
1

Rule

Severity: Low
The ESXi host must use Active Directory for local user authentication.
Logo
3

Rule

Severity: Low
The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.
Logo
1

Rule

Severity: Medium
The Photon operating system must use an OpenSSH server version that does not support protocol 1.
Logo
1

Rule

Severity: Medium
The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
Logo
1

Rule

Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to implement replay-resistant authentication mechanisms for network access.
Logo
1

Rule

Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration.
Logo
1

Rule

Severity: Medium
The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
Logo
1

Rule

Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
Logo
1

Rule

Severity: Medium
RHEL 9 must use the common access card (CAC) smart card driver.
Logo
1

Rule

Severity: High
SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules