Title

The VPN client configuration will be protected by access control so the remote user cannot change the security settings. (Cat II impact)

Discussion

Without proper configuration control, security controls can become lessened on a remote access machine.

Check Content

Verify the system’s user and advanced user rights policies are configured in accordance with DISA requirements to prevent users without administrative rights from installing or changing software or hardware configurations, which may adversely affect the security posture of the remote device. There are several ways to accomplish this item. Have the NSO demonstrate the site’s method for securing the VPN profile configuration. Since the VPN client software generally does not have a setting for preventing users from changing the settings, the most likely method used will be to enable the operating system policies to ensure the profile directory of the client software is enabled for read and execute only for ordinary users. Next, examine any procedures or remote access agreement that informs the user of this requirement. If the user is not informed of this requirement or if rights are not restricted to prevent installation of software or device drivers, this is a finding. Note: If the remote user has administrative rights, then this is a finding only if a written policy does not exist informing the user that changes must be pre-approved regardless of having administrative rights.

Fix Text

Ensure there is a configuration control process in place and is followed for VPN client configurations.

Additional Identifiers

Rule ID: SV-6820r1_rule

Vulnerability ID: V-6672

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.