Skip to content

The Cisco ISE must enforce access restrictions associated with changes to the firmware, OS, and hardware components.

An XCCDF Rule

Description

<VulnDiscussion>Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. This requirement applies to updates of the application files, configuration, ACLs, and policy filters. RBAC policies determine if an administrator can be granted a specific type of access to a menu item or other identity group data elements. You can grant or deny access to a menu item or identity group data element to an administrator based on the admin group, by using RBAC policies. When administrators log in to the Admin portal, they can access menus and data that are based on the policies and permissions defined for the admin groups with which they are associated. RBAC policies map admin groups to menu access and data access permissions. For example, you can prevent Access operations menu and the policy data elements. This can be achieved by creating a custom RBAC policy for the admin group with which that network administrator is associated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-242632r879887_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

1. Choose Administration >> System >> Admin Access >> Administrators >> Admin Groups.
2. Review the users for the groups with edit access such as Helpdesk Admin, Network Device Admin, SuperAdmin, and System Admin at a minimum.
3. To delete users from the admin group, check the check box corresponding to the user that you want to delete, and click "Remove".
4. Click "Submit".