STIGQter STIGQter: STIG Summary: Cisco IOS XE Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.

DISA Rule

SV-215823r531083_rule

Vulnerability Number

V-215823

Group Title

SRG-APP-000142-NDM-000245

Rule Version

CISC-ND-000470

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Disable the following services if enabled as shown in the example below.

R2(config)#no boot network
R2(config)#no ip boot server
R2(config)#no ip bootp server
R2(config)#no ip dns server
R2(config)#no ip identd
R2(config)#no ip finger
R2(config)#no ip http server
R2(config)#no ip rcmd rcp-enable
R2(config)#no ip rcmd rsh-enable
R2(config)#no service config
R2(config)#no service finger
R2(config)#no service tcp-small-servers
R2(config)#no service udp-small-servers
R2(config)#no service pad
R2(config)#end

Check Contents

Verify that the router does not have any unnecessary or non-secure ports, protocols and services enabled. For example, the following commands should not be in the configuration:

boot network
ip boot server
ip bootp server
ip dns server
ip identd
ip finger
ip http server
ip rcmd rcp-enable
ip rcmd rsh-enable
service config
service finger
service tcp-small-servers
service udp-small-servers

If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

Vulnerability Number

V-215823

Documentable

False

Rule Version

CISC-ND-000470

Severity Override Guidance

Verify that the router does not have any unnecessary or non-secure ports, protocols and services enabled. For example, the following commands should not be in the configuration:

boot network
ip boot server
ip bootp server
ip dns server
ip identd
ip finger
ip http server
ip rcmd rcp-enable
ip rcmd rsh-enable
service config
service finger
service tcp-small-servers
service udp-small-servers

If any unnecessary or non-secure ports, protocols, or services are enabled, this is a finding.

Check Content Reference

M

Target Key

4020

Comments