STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NDM Security Technical Implementation Guide

V-284534

CAT I (High)

The Ivanti Policy Secure must be configured to connect to the management network if used to authenticate privileged users for device management.

Rule ID

SV-284534r1244941_rule

STIG

Ivanti Policy Secure NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002890

Discussion

Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DoW data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2/140-3-validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.

Check Content

1. In the Web UI, navigate to System >> Configuration >> Advanced Networking. 
2. Verify the management interface is selected for NTP, SNMP, Syslog and Log Archiving.

1. In the Web UI, navigate to Administrators >> Admin Realms.
2. Click each Admin Authentication Realm.
3. Click on Authentication policy for each realm. 
4. Verify the "Enable to sign in" check box is not checked for "Management Port".

If the device is not configured to connect to the management port for NTP, SNMP, and Syslog and Log Archiving communications, this is a finding.

Fix Text

Enable and configure alternative protocols and the admins to login to the Management port as well as the default URL port.

1. In the Web UI, navigate to Network >> Management >> Settings.
2. Check the box for "Use Port" to enable.
3. Add an IPv4 Address, Netmask, and GW.
4. Check the box to enable IPv6.
5. Add an IP Address, Prefix, and GW.

1. In the Web UI, navigate to System >> Configuration >> Advanced Networking. 
2. Select the management interface for NTP, SNMP, Syslog & Log Archive (this should be selected by default). 
3. Click "Save".

1. In the Web UI, navigate to Administrators >> Admin Realms.
2. Click each Admin Authentication Realm.
3. Click on Authentication policy. 
4. Select each realm and select "Enable administrators to sign in on the Management port". This should be the only port checked.