STIGQter: STIG Summary: Cisco IOS XE Switch L2S Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Cisco switch must be configured to disable non-essential capabilities.

DISA Rule

SV-220648r539671_rule

Vulnerability Number

V-220648

Group Title

SRG-NET-000131-L2S-000014

Rule Version

CISC-L2-000010

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Disable the following services if enabled as shown in the example below:

SW2(config)#no boot network
SW2(config)#no ip boot server
SW2(config)#no ip bootp server
SW2(config)#no ip dns server
SW2(config)#no ip identd
SW2(config)#no ip finger
SW2(config)#no ip http server
SW2(config)#no ip rcmd rcp-enable
SW2(config)#no ip rcmd rsh-enable
SW2(config)#no service config
SW2(config)#no service finger
SW2(config)#no service tcp-small-servers
SW2(config)#no service udp-small-servers
SW2(config)#no service pad

Check Contents

Review the switch configuration to verify that the switch does not have any unnecessary or non-secure services enabled. For example, the following commands should not be in the configuration:

boot network
ip boot server
ip bootp server
ip dns server
ip identd
ip finger
ip http server
ip rcmd rcp-enable
ip rcmd rsh-enable
service config
service finger
service tcp-small-servers
service udp-small-servers
service pad

Note: ip http server can be enabled provided that the "ip http active-session-modules none" command is configured for scenarios such as ISE sending URL redirects to the switch.

If any unnecessary services are enabled, this is a finding.

The Cisco switch must be configured to disable non-essential capabilities.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments