Rule ID
SV-284581r1244870_rule
Version
V1R1
CCIs
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Many NACs include the ability to create network access control policies that include identity-based policies, role-based policies, and attribute-based policies. It is recommended the NAC have the capability to expose collected data on the assessed endpoints through an API that can be accessed externally, or the NAC solution must supply an SDK to allow customers to export data. Admissions assessment filters should include, at a minimum, device attributes such as type, IP address, resource group, and/or mission conditions as defined in the NAC SSP. The NAC should also track the following to facilitate security investigations: when each device was last admitted/readmitted to the network; owning organization; owning organization's organizational unit; geographic location or the nearest network switch; motherboard serial number and BIOS; globally unique ID; and which unique network access compliance policies each device passed or failed during the latest network admission/readmission. The client may be denied admission based on a returned posture token. In most NAC implementations, additional network access authorization policies can also be tied to the user's identity, but these features are out of scope for this STIG.
1. In the Ivanti Policy Secure Web UI, navigate to Users >> User Realms >> User Authentication Realms. 2. Under the General tab >> "Certificate login for authentication with a User/Directory/Attribute", verify the default "User Realm" is not in use. 3. Verify host checker policies include policies for type, resource group, and/or mission conditions. If the host checker policies are not configured with preadmissions assessment filters as defined in the NAC SSP, this is a finding.
Create endpoint security host checker policies and associate them with host enforcement policies. This is an example configuration. There are many other places where different assessment policies may be derived from in this complex system depending on the specific type of filter. However, the realm configuration will allow associate and enforcement of these policies in accordance with the SSP. 1. In the Ivanti Policy Secure Web UI, navigate to Authentication >> Endpoint Security >> Host Checker. 2. Under "Policies" click "New". 3. Type the name. 4. Click "Continue". 5. Under "Rule Settings", select "Rule type". 6. Create Host Checker Rules to configure admissions assessment filters. 7. Click "Save Changes". There are default Authentication Realms to include Users and various Guest realms. These must be disabled or deleted if not used. 1. Navigate to Users >> User Realms >> User Realms to view the User Authentication Realms page. 2. Under the "General" tab, create a new user realm or modify the default user to use certificate login for authentication with a User/Directory/Attribute. 3. Under the "Authentication Policy" tab, select the "Certificate" tab, then select the radio button to only allow users with a client-side certificate signed by Trusted Client certificate authorities (CAs) to sign in. 4. Under the "Host checker" tab, locate the available policies with an action by selecting "Evaluate Policies" or "Require & Enforced" based on the site's SSP. 5. Select the "Role Mapping" tab and create a rule assessing condition and assign a specific role. Specify how to assign roles to users when they sign in. Users that are not assigned a role will not be able to sign in.