ForeScout CounterACT NDM Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516-NDM-000338
Group -
The network device must be configured to use a centralized authentication server to authenticate privileged users for remote and nonlocal access for device management.
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrato...Rule Low Severity -
SRG-APP-000069-NDM-000216
Group -
CounterACT must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
The administrator must acknowledge the banner prior to CounterACT allowing the administrator access to CounterACT. This provides assurance that the administrator has seen the message and accepted t...Rule Low Severity -
SRG-APP-000371-NDM-000296
Group -
SRG-APP-000516-NDM-000336
Group -
Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the account of last resort).
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrato...Rule Medium Severity -
SRG-APP-000166-NDM-000254
Group -
If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one upper-case character be used.
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisti...Rule Medium Severity -
SRG-APP-000167-NDM-000255
Group -
If multifactor authentication is not supported and passwords must be used, CounterACT must enforce password complexity by requiring that at least one lower-case character be used.
Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticat...Rule Medium Severity -
SRG-APP-000001-NDM-000200
Group -
For the local account, CounterACT must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Nonlocal account are configured on...Rule Medium Severity -
CounterACT must enforce a 60-day maximum password lifetime restriction.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and pe...Rule Medium Severity -
CounterACT must support organizational requirements to conduct backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execu...Rule Medium Severity -
CounterACT must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure...Rule Medium Severity -
CounterACT appliances performing maintenance functions must restrict use of these functions to authorized personal only.
There are security-related issues arising from software brought into the network device specifically for diagnostic and repair actions (e.g., a software packet sniffer installed on a device to trou...Rule High Severity -
CounterACT must employ automated mechanisms to centrally apply authentication settings.
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrato...Rule Medium Severity -
CounterACT must terminate all network connections associated with an Enterprise Manager Console session upon Exit, or session disconnection, or after 10 minutes of inactivity, except where prevented by documented and validated mission requirements.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
CounterACT must allow only authorized administrators to view or change the device configuration, system files, and other files stored either in the device or on removable media.
This protection is required to prevent unauthorized alteration, corruption, or disclosure of information when not stored directly on the network device. Files on the network device or on removable...Rule Medium Severity -
CounterACT must enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
CounterACT must be configured to synchronize internal information system clocks with the organizations primary and secondary NTP servers.
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other ...Rule Medium Severity -
CounterACT must restrict the ability to change the auditing to be performed within the system log based on selectable event criteria to the audit administrators role or to other roles or individuals.
If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important ...Rule Medium Severity -
In the event the authentication server is unavailable, one local account must be created for use as the account of last resort.
Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on CounterACT's local database for use in an emergency, such as when th...Rule Medium Severity -
CounterACT must compare internal information systems clocks at least every 24 hours with an authoritative time server.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type.
Network device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per a...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.