III - Administrative Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-NET-000147
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to implement replay-resistant authentication mechanisms for network access.
<VulnDiscussion>A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authen...Rule Medium Severity -
SRG-NET-000213
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to terminate all network connections associated with a communications session at the end of the session.
<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take c...Rule High Severity -
SRG-NET-000230
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.
<VulnDiscussion>Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false in...Rule Medium Severity -
SRG-NET-000236
<GroupDescription></GroupDescription>Group -
In the event of a device failure, Enterprise Voice, Video, and Messaging Endpoints must preserve any information necessary to determine cause of failure and return to operations with least disruption to service.
<VulnDiscussion>Failure in a known state can address safety or security in accordance with the mission needs of the organization. Failure to ...Rule Medium Severity -
SRG-NET-000334
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must offload audit records onto a different system or media than the system being audited.
<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common ...Rule Medium Severity -
SRG-NET-000352
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use cryptographic algorithms approved by NSA to protect NSS when transporting classified traffic across an unclassified network.
<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. NIST cryptographi...Rule Medium Severity -
SRG-NET-000353
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must provide an explicit indication of current participants in all Videoconference (VC)-based and IP-based online meetings and conferences.
<VulnDiscussion>Providing an explicit indication of current participants in teleconferences helps to prevent unauthorized individuals from pa...Rule Medium Severity -
SRG-NET-000371
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-compliant algorithms for network traffic.
<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised as unprotected communicat...Rule High Severity -
SRG-NET-000400
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint, when using passwords or PINs for authentication or authorization, must be configured to cryptographically protect the PIN or password.
<VulnDiscussion>Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are ...Rule High Severity -
SRG-NET-000503
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records when successful/unsuccessful logon attempts occur.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-NET-000504
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records for privileged activities or other system-level access.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-NET-000505
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must generate audit records showing starting and ending time for user access to the system.
<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficu...Rule Medium Severity -
SRG-NET-000511
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must, at a minimum, offload interconnected systems in real-time and offload standalone systems weekly.
<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common ...Rule Medium Severity -
SRG-NET-000512
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures...Rule Medium Severity -
SRG-NET-000512
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured with a firmware release supported by the vendor.
<VulnDiscussion>Operating a device with outdated firmware may leave the device with unmitigated security vulnerabilities. Vendors routinely u...Rule High Severity -
SRG-NET-000512
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to dynamically implement configuration file changes.
<VulnDiscussion>Configuration management includes the management of security features and assurances through control of changes made to devic...Rule Medium Severity -
SRG-NET-000512
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable any auto answer features.
<VulnDiscussion>An Enterprise Voice, Video, and Messaging Endpoint set to automatically answer a call with audio or video capabilities enable...Rule Medium Severity -
SRG-NET-000518
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must provide a logout capability for user-initiated communications sessions.
<VulnDiscussion>If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to a...Rule Medium Severity -
SRG-NET-000519
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must display an explicit logout message to users indicating the reliable termination of communications sessions.
<VulnDiscussion>If a user cannot explicitly end a session, the session may remain open and be exploited by an attacker; this is referred to a...Rule Medium Severity -
SRG-NET-000522
<GroupDescription></GroupDescription>Group -
For accounts using password or PINs for authentication, the Enterprise Voice, Video, and Messaging Endpoint must store only cryptographic representations of passwords.
<VulnDiscussion>If passwords and PINs are not encrypted when stored, they may be read if the storage location is compromised. Note that DOD...Rule Medium Severity -
SRG-NET-000530
<GroupDescription></GroupDescription>Group -
The Enterprise Voice, Video, and Messaging Endpoint must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and u...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.