STIGQter STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to disable non-essential capabilities.

DISA Rule

SV-220648r539671_rule

Vulnerability Number

V-220648

Group Title

SRG-NET-000131-L2S-000014

Rule Version

CISC-L2-000010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Disable the following services if enabled as shown in the example below:

SW2(config)#no boot network
SW2(config)#no ip boot server
SW2(config)#no ip bootp server
SW2(config)#no ip dns server
SW2(config)#no ip identd
SW2(config)#no ip finger
SW2(config)#no ip http server
SW2(config)#no ip rcmd rcp-enable
SW2(config)#no ip rcmd rsh-enable
SW2(config)#no service config
SW2(config)#no service finger
SW2(config)#no service tcp-small-servers
SW2(config)#no service udp-small-servers
SW2(config)#no service pad

Check Contents

Review the switch configuration to verify that the switch does not have any unnecessary or non-secure services enabled. For example, the following commands should not be in the configuration:

boot network
ip boot server
ip bootp server
ip dns server
ip identd
ip finger
ip http server
ip rcmd rcp-enable
ip rcmd rsh-enable
service config
service finger
service tcp-small-servers
service udp-small-servers
service pad

Note: ip http server can be enabled provided that the "ip http active-session-modules none" command is configured for scenarios such as ISE sending URL redirects to the switch.

If any unnecessary services are enabled, this is a finding.

Vulnerability Number

V-220648

Documentable

False

Rule Version

CISC-L2-000010

Severity Override Guidance

Review the switch configuration to verify that the switch does not have any unnecessary or non-secure services enabled. For example, the following commands should not be in the configuration:

boot network
ip boot server
ip bootp server
ip dns server
ip identd
ip finger
ip http server
ip rcmd rcp-enable
ip rcmd rsh-enable
service config
service finger
service tcp-small-servers
service udp-small-servers
service pad

Note: ip http server can be enabled provided that the "ip http active-session-modules none" command is configured for scenarios such as ISE sending URL redirects to the switch.

If any unnecessary services are enabled, this is a finding.

Check Content Reference

M

Target Key

4071

Comments