Title

Host-based firewalls installed on the endpoint devices will be configured to log all inbound connections. (Cat III impact)

Discussion

Logs are needed in the event that an attack was successful or in order to detect potentially malicious activity. (Remote Only)

Check Content

Have the SA or NSO demonstrate the configuration of the personal firewall. The method of access to the firewall configuration will vary with the actual software. However, in general, the configuration can be viewed by clicking on the program icon in the desktop tray or by using the Start menu. Navigate to the Alerts configuration menu or tab and verify that the setting to log alerts is enabled. At a minimum, all inbound connections from the Internet Zone must be logged to a text file. If the log alerts setting is not enabled in the personal firewall software, this is a finding.

Fix Text

Configure the firewall to log in bound connections.

Additional Identifiers

Rule ID: SV-6811r1_rule

Vulnerability ID: V-6663

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.