<?xml version="1.0" encoding="UTF-8"?>
<CHECKLIST>
  <ASSET>
    <ROLE>None</ROLE>
    <ASSET_TYPE>Computing</ASSET_TYPE>
    <HOST_NAME></HOST_NAME>
    <HOST_IP></HOST_IP>
  </ASSET>
  <STIGS>
    <iSTIG>
      <STIG_INFO>
        <SI_DATA>
          <SID_NAME>title</SID_NAME>
          <SID_DATA>Ivanti Policy Secure NAC Security Technical Implementation Guide</SID_DATA>
        </SI_DATA>
        <SI_DATA>
          <SID_NAME>version</SID_NAME>
          <SID_DATA>1</SID_DATA>
        </SI_DATA>
        <SI_DATA>
          <SID_NAME>releaseinfo</SID_NAME>
          <SID_DATA>Release: 1</SID_DATA>
        </SI_DATA>
      </STIG_INFO>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284581</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284581r1244870_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must enforce approved access by employing preadmissions assessment filters as defined in the NAC System Security Plan (SSP).</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information.

Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Many NACs include the ability to create network access control policies that include identity-based policies, role-based policies, and attribute-based policies. 

It is recommended the NAC have the capability to expose collected data on the assessed endpoints through an API that can be accessed externally, or the NAC solution must supply an SDK to allow customers to export data. 

Admissions assessment filters should include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in the NAC SSP. The NAC should also track the following to facilitate security investigations: when each device was last admitted/readmitted to the network; owning organization; owning organization&apos;s organizational unit; geographic location or the nearest network switch; motherboard serial number and BIOS; globally unique ID; and which unique network access compliance policies each device passed or failed during the latest network admission/readmission.

The client may be denied admission based on a returned posture token. In most NAC implementations, additional network access authorization policies can also be tied to the user&apos;s identity, but these features are out of scope for this STIG.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Users &gt;&gt; User Realms &gt;&gt; User Authentication Realms.
2. Under the General tab &gt;&gt; &quot;Certificate login for authentication with a User/Directory/Attribute&quot;, verify the default &quot;User Realm&quot; is not in use.
3. Verify host checker policies include policies for type, resource group, and/or mission conditions.

If the host checker policies are not configured with preadmissions assessment filters as defined in the NAC SSP, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Create endpoint security host checker policies and associate them with host enforcement policies. This is an example configuration. There are many other places where different assessment policies may be derived from in this complex system depending on the specific type of filter. However, the realm configuration will allow associate and enforcement of these policies in accordance with the SSP.

1. In the Ivanti Policy Secure Web UI, navigate to Authentication &gt;&gt; Endpoint Security &gt;&gt; Host Checker.
2. Under &quot;Policies&quot; click &quot;New&quot;.
3. Type the name. 
4. Click &quot;Continue&quot;.
5. Under &quot;Rule Settings&quot;, select &quot;Rule type&quot;. 
6. Create Host Checker Rules to configure admissions assessment filters. 
7. Click &quot;Save Changes&quot;.

There are default Authentication Realms to include Users and various Guest realms. These must be disabled or deleted if not used.
1. Navigate to Users &gt;&gt; User Realms &gt;&gt; User Realms to view the User Authentication Realms page. 
2. Under the &quot;General&quot; tab, create a new user realm or modify the default user to use certificate login for authentication with a User/Directory/Attribute.
3. Under the &quot;Authentication Policy&quot; tab, select the &quot;Certificate&quot; tab, then select the radio button to only allow users with a client-side certificate signed by Trusted Client certificate authorities (CAs) to sign in.
4. Under the &quot;Host checker&quot; tab, locate the available policies with an action by selecting &quot;Evaluate Policies&quot; or &quot;Require &amp; Enforced&quot; based on the site&apos;s SSP.
5. Select the &quot;Role Mapping&quot; tab and create a rule assessing condition and assign a specific role. Specify how to assign roles to users when they sign in. Users that are not assigned a role will not be able to sign in.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284582</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284582r1244871_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must enforce approved access by employing post-admissions assessment filters as defined in the NAC System Security Plan (SSP).</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information.

Configure a Host Enforcer policy in Ivanti IPS to enforce compliance checks on endpoints that connect to the network. This is typically done to ensure the endpoints meet specific security standards and are up to date with their operating systems and patches. The policy can be applied at the realm level (pre-authentication) or at the role level (post-authentication) to manage access based on compliance. Additionally, configure Host Checker policies to perform health and security checks on endpoints, including antivirus versions, OS versions, and patch checker.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>If post admissions is not used, this is not applicable.

In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy &gt;&gt; Host Enforcer &gt;&gt; Host Enforcer Policies.

If there are no Host Enforcer Policies created, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy &gt;&gt; Host Enforcer &gt;&gt; Host Enforcer Policies.
2. Click &quot;New Policy&quot;.
3. Type &quot;Name&quot; and &quot;Description&quot;.
4. Specify &quot;Resources&quot;.
5. Specify &quot;Roles&quot;.
6. Specify &quot;Actions&quot; such as Allow/Deny, etc.
7. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284583</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284583r1244872_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must be configured to only allow users with a client-side certificate signed by Trusted Client Certificate Authorities (CAs) to sign in.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Automated policy assessments must reflect the organization&apos;s current security policy so entry control decisions will happen only where remote endpoints meet the organization&apos;s security requirements. If the remote endpoints are allowed to connect to the organization&apos;s network without passing minimum-security controls, they become a threat to the entire network.

Organizational policy must be established for what the NAC will check on the host for the agent and agentless. Use a NAC system security plan (SSP) to assess compliance with the requirement since each SSP item must be configured.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Ivanti Policy Secure Web UI, navigate to Users &gt;&gt; User Realms &gt;&gt; User Authentication Realms.

Under the &quot;Certificate&quot; tab, verify the radio button for &quot;Only allow users with a client-side certificate signed by Trusted Client CAs to sign in&quot; is on.

If the system is not configured to confirm endpoint policy assessment proceeds only after the endpoint attempting access has been identified using an approved identification method, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the Host Checker: 
1. In the Ivanti Policy Secure Web UI, navigate to Authentication &gt;&gt; Endpoint Security &gt;&gt;Host Checker.
2. Under the &quot;Certificate&quot; tab, select &quot;Only allow users with a client-side certificate signed by Trusted Client CAs to sign in&quot;.

Configure the User Authentication Realm:
1. In the Ivanti Policy Secure Web UI, navigate to Users &gt;&gt; User Realms &gt;&gt; User Authentication Realms.
Note: By default, there are default Authentication Realms to include Users and various Guest realms.
2. Under the &quot;General&quot; tab, create a new user realm or modify the default &quot;User&quot; to use certificate login for authentication with a User/Directory/Attribute.
3. Under the &quot;Certificate&quot; tab, select the radio button for &quot;Only allow sign-in by users with a client-side certificate signed by Trusted Client CAs&quot;.
4. Click the &quot;Host checker&quot; tab, then associate a policy and set as &quot;Required &amp; Enforced&quot;.
5. Select the &quot;Role mapping&quot; tab and create a rule assessing condition and assign a specific role.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284586</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284586r1244873_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must be configured to redirect endpoints to a logically separate VLAN for remediation services for endpoints that require automated remediation.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Automated and manual procedures for remediation for critical security updates are managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users. This isolation prevents traffic from flowing with traffic from endpoints that have been fully assessed and authorized. This solution provides a mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, the system may become compromised. Information flow control regulates where information is allowed to travel within a system and between interconnected systems. Security attributes may be used to manage information flow control.

Unauthenticated devices must not be allowed to connect to remediation services. The Ivanti IPS and client does not need to provide IP transport for evaluation and remediation. However, using this Check and Fix text works as well. 

This requirement also applies to Zero Trust initiatives.

Satisfies: SRG-NET-000015-NAC-000040, SRG-NET-000323-NAC-001233</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>If automated remediation is not used, this is not applicable.

1. In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy &gt;&gt; Network Access &gt;&gt; Radius Attributes &gt;&gt; Radius Return Attributes.
2. Inspect the policy to ensure it is configured with an assigned location group, roles, and remediation VLAN ID.

If the remediation VLAN that is separated from trusted resources is not configured for use, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Endpoint Policy &gt;&gt; Network Access &gt;&gt; Radius Attributes &gt;&gt; Radius Return Attributes.
2. Click &quot;New Policy&quot;.
3. Type a Name and Description.
4. Assign Location Groups to which the policy applies.
5. Expand the &quot;Access Control Policy Settings&quot; menu.
6. Click the &quot;Control&quot; radio button.
7. Click the check box for &quot;Control Using VLAN id []&quot; and specify the remediation or redirect VLAN. 
8. Select the PPS interface to which endpoints will connect while they are assigned to the above VLAN. 
9. Expand &quot;Roles&quot;.
10. Select the role to which this policy is applicable and set it for selected below and specify designated role. 
11. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284587</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284587r1244874_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must be configured to apply dynamic ACLs that restrict the use of resources when nonentity endpoints are connected using MAC Authentication Bypass (MAB).</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>MAB can be defeated by spoofing the MAC address of a valid device. MAB enables port-based access control using the MAC address of the endpoint. A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the device that connects to it.

NPE devices that support PKI or an allowed authentication type must use PKI. MAB may be used for NPE that cannot support an approved device authentication. Nonentity endpoints include IoT devices, VoIP phones, and printers.

To support MAC authentication, add a MAC authentication server to Ivanti Policy Secure. Direct configuration of authenticators on the Ivanti Policy server, including MAC addresses, is not permitted; thus, NPE MACs must be associated with a MAC authentication server with an LDAP server.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>If nonentity endpoints using MAB are not connected, this is not applicable.

1. Select Endpoint Policy &gt;&gt; MAC Address Realm.
2. View the configuration of at least one MAC Address Authentication realm and Role Mapping rule.

If the MAC address realm is not configured and associated with role mappings, rules and a separate NPE VLAN, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the MAC address authentication server for an authorized and separated NPE VLAN.
1. Select Authentication &gt;&gt; Auth. Servers.
2. Select &quot;MAC Address Authentication&quot; and click &quot;New Server&quot;. Configure the MAC address authentication server configuration page and then click &quot;Save&quot;.

Configure the MAC Address Authentication Realm and Role Mapping Rules.
1. Select Endpoint Policy &gt;&gt; MAC Address Realm.
2. Complete the configuration page and then click &quot;Save&quot;.

Note: This realm can now be associated with roles, location groups, RADIUS client, etc. as any other realm. Direct configuration of authenticators on the Ivanti Policy server, including MAC addresses, is not permitted; thus, NPE MACs must be associated with a MAC authentication server with an LDAP server.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284588</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284588r1244875_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must configure maximum number of sessions per user for all user realms.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Denial-of-service (DoS) events may occur due to a variety of internal and external causes, such as an adversarial attack or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of DoS events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of DoS attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to DoS events.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Users &gt;&gt; User Realms &gt;&gt; User Realms.
2. Click the configured admin realm being used for CAC/PKI token user logins.
3. Click the &quot;Authentication Policy&quot; tab, then click &quot;Limits&quot;.

If the &quot;Maximum number of sessions per user&quot; is any number other than &quot;1&quot;, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Users &gt;&gt; User Realms &gt;&gt; User Realms.
2. Click the configured user realm being used for CAC/PKI token user logins.
3. Click the &quot;Authentication Policy&quot; tab, then click &quot;Limits&quot;.
4. In &quot;Maximum number of sessions per user,&quot; type &quot;1&quot;.
5. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-285223</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-285223r1244921_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must be configured to notify the user before proceeding with remediation of the user&apos;s endpoint device when automated remediation is used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Connections that bypass established security controls should only be used in cases of administrative need. These procedures and use cases must be approved by the information system security manager (ISSM).</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Ivanti Policy Secure Web UI, navigate to Authentication &gt;&gt; Endpoint Security &gt;&gt; Host Checker.

If there are no Host Checker policies to notify the user before proceeding with remediation of the user&apos;s endpoint device when automated remediation is used, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Authentication &gt;&gt; Endpoint Security &gt;&gt;Host Checker.
2. Under &quot;Policies&quot;, click &quot;New&quot;.
3. Type a name. 
4. Click &quot;Continue&quot;.
5. Under &quot;Rule Settings&quot;, select &quot;Rule type&quot;. 
6. Create Host Checker rules to notify the user before proceeding with remediating the user&apos;s endpoint device when automated remediation is used.
7. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-285224</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-285224r1244922_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure NAC must be configured to terminate the session or redirect the endpoint to the remediation VLAN when a device requesting access fails the Host Checker policy checks.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network could impact network usage for all users.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Ivanti Policy Secure Web UI, navigate to Authentication &gt;&gt; Endpoint Security &gt;&gt;Host Checker.

If a Host Checker policy is not configured to terminate the session or redirect to a remediation VLAN based on the site&apos;s SSP, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Authentication &gt;&gt; Endpoint Security &gt;&gt;Host Checker.
2. Under &quot;Policies&quot;, click &quot;New&quot;.
3. Type a name. 
4. Click &quot;Continue&quot;.
5. Under &quot;Rule Settings&quot;, select &quot;Rule type&quot;. 
6. Create Host Checker rules for failed policy assessment to either terminate the session or redirect the endpoint to the remediation VLAN.
7. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    </iSTIG>
  </STIGS>
</CHECKLIST>