Title

Unnecessary/unused remote control/management/configuration protocols are not disabled. (Cat II impact)

Discussion

Management or other protocols, secure or not, that are not required or used for management of, or access to, a device in a given implementation, but are active and available for a connection, places the device at risk of compromise and unauthorized access. These protocols must be disabled or turned off.

Check Content

[IP]; Interview the IAO and validate compliance with the following requirement: Ensure remote access ports, protocols, and services used for VTC system/device “Remote Control/Management/Configuration” are disabled, turned off, or removed if not required in the specific implementation of the device. Determine what ports, protocols, and services are required for in the specific implementation of the device. Have the SA demonstrate the device configuration regarding these protocols or independently validate that only the required ports, protocols, and services are active. Validation can be performed by performing a scan of the network and management interface of the system/device. This is a finding if it is determined that there are ports, protocols, and services active that are not needed for the specific implementation of the device.

Fix Text

[IP]; Perform the following tasks: Configure the VTC system/device such that unused or unneeded ports, protocols, and services are disabled or removed from the system.

Additional Identifiers

Rule ID: SV-18876r1_rule

Vulnerability ID: V-17702

Group Title: RTS-VTC 3130.00 [IP]

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.