The VPN client configuration will be protected by access control so the remote user cannot change the security settings.

From Remote Endpoint STIG

Part of SRC-EPT-610 VPN client security

Associated with IA controls: ECSC-1

SV-6820r1_rule The VPN client configuration will be protected by access control so the remote user cannot change the security settings.

Vulnerability discussion

Without proper configuration control, security controls can become lessened on a remote access machine.

Check content

Verify the system’s user and advanced user rights policies are configured in accordance with DISA requirements to prevent users without administrative rights from installing or changing software or hardware configurations, which may adversely affect the security posture of the remote device. There are several ways to accomplish this item. Have the NSO demonstrate the site’s method for securing the VPN profile configuration. Since the VPN client software generally does not have a setting for preventing users from changing the settings, the most likely method used will be to enable the operating system policies to ensure the profile directory of the client software is enabled for read and execute only for ordinary users. Next, examine any procedures or remote access agreement that informs the user of this requirement. If the user is not informed of this requirement or if rights are not restricted to prevent installation of software or device drivers, this is a finding. Note: If the remote user has administrative rights, then this is a finding only if a written policy does not exist informing the user that changes must be pre-approved regardless of having administrative rights.

Fix text

Ensure there is a configuration control process in place and is followed for VPN client configurations.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer