Skip to content

Ivanti Connect Secure NDM Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000412-NDM-000331

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to implement cryptographic mechanisms using a FIPS 140-2/3 approved algorithm.

    &lt;VulnDiscussion&gt;This configuration protects to protect the confidentiality of Web UI session and guards against DoS attacks. This requires ...
    Rule High Severity
  • SRG-APP-000516-NDM-000350

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to send admin log data to a redundant central log server.

    &lt;VulnDiscussion&gt;The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate sec...
    Rule High Severity
  • SRG-APP-000340-NDM-000288

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to prevent nonprivileged users from executing privileged functions.

    &lt;VulnDiscussion&gt;Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or proces...
    Rule High Severity
  • SRG-APP-000343-NDM-000289

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

    &lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external enti...
    Rule Medium Severity
  • SRG-APP-000395-NDM-000310

    <GroupDescription></GroupDescription>
    Group
  • If SNMP is used, the ICS must be configured to use SNMPv3 with FIPS-140-2/3 validated Keyed-Hash Message Authentication Code (HMAC).

    &lt;VulnDiscussion&gt;Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. B...
    Rule Medium Severity
  • SRG-APP-000395-NDM-000347

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to authenticate Network Time Protocol (NTP) sources using authentication that is cryptographically based.

    &lt;VulnDiscussion&gt;If Network Time Protocol is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be us...
    Rule Medium Severity
  • SRG-APP-000374-NDM-000299

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to record time stamps for audit records that can be mapped to Greenwich Mean Time (GMT).

    &lt;VulnDiscussion&gt;If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analys...
    Rule Medium Severity
  • SRG-APP-000357-NDM-000293

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to allocate local audit record storage capacity in accordance with organization-defined audit record storage requirements.

    &lt;VulnDiscussion&gt;In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able ...
    Rule Medium Severity
  • SRG-APP-000169-NDM-000257

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to enforce password complexity by requiring that at least one special character be used.

    &lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...
    Rule Medium Severity
  • SRG-APP-000148-NDM-000346

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.

    &lt;VulnDiscussion&gt;Authentication for administrative (privileged level) access to the device is required at all times. An account can be created...
    Rule Medium Severity
  • SRG-APP-000190-NDM-000267

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to terminate after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

    &lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take c...
    Rule High Severity
  • SRG-APP-000149-NDM-000247

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.

    &lt;VulnDiscussion&gt;MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital informa...
    Rule High Severity
  • SRG-APP-000373-NDM-000298

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to synchronize internal information system clocks using redundant authoritative time sources.

    &lt;VulnDiscussion&gt;The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run ...
    Rule Medium Severity
  • SRG-APP-000516-NDM-000344

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to obtain its public key certificates from an appropriate certificate policy through an approved service provider.

    &lt;VulnDiscussion&gt;For user certificates, each organization obtains certificates from an approved and shared service provider, as required by OM...
    Rule Medium Severity
  • SRG-APP-000516-NDM-000341

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to support organizational requirements to conduct weekly backups of information system documentation, including security-related documentation.

    &lt;VulnDiscussion&gt;Information system backup is a critical step in maintaining data assurance and availability. Information system and security-...
    Rule Medium Severity
  • SRG-APP-000516-NDM-000351

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to run an operating system release that is currently supported by Ivanti.

    &lt;VulnDiscussion&gt;Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated...
    Rule High Severity
  • SRG-APP-000164-NDM-000252

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to enforce a minimum 15-character password length.

    &lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...
    Rule Medium Severity
  • SRG-APP-000172-NDM-000259

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to transmit only encrypted representations of passwords.

    &lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are...
    Rule High Severity
  • SRG-APP-000170-NDM-000329

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password.

    &lt;VulnDiscussion&gt;If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of pass...
    Rule Medium Severity
  • SRG-APP-000168-NDM-000256

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to enforce password complexity by requiring that at least one numeric character be used.

    &lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...
    Rule Medium Severity
  • SRG-APP-000167-NDM-000255

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to enforce password complexity by requiring that at least one lowercase character be used.

    &lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...
    Rule Medium Severity
  • SRG-APP-000166-NDM-000254

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to enforce password complexity by requiring that at least one uppercase character be used.

    &lt;VulnDiscussion&gt;Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity,...
    Rule Medium Severity
  • SRG-APP-000175-NDM-000262

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to use DOD approved OCSP responders or CRLs to validate certificates used for PKI-based authentication.

    &lt;VulnDiscussion&gt;Once issued by a DOD certificate authority (CA), public key infrastructure (PKI) certificates are typically valid for three y...
    Rule High Severity
  • SRG-APP-000091-NDM-000223

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to generate audit records when successful/unsuccessful attempts to access privileges occur.

    &lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...
    Rule Medium Severity
  • SRG-APP-000001-NDM-000200

    <GroupDescription></GroupDescription>
    Group
  • The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.

    &lt;VulnDiscussion&gt;Device management includes the ability to control the number of administrators and management sessions that manage a device. ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules