STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-17 (1) — Remote Access

CCI-002314

Definition

Employ automated mechanisms to control remote access methods.

Parent Control

AC-17 (1)Remote AccessAccess Control

Linked STIG Checks (139)

V-279072CAT IIThe ColdFusion error messages must be restricted to only authorized users.Adobe ColdFusion Security Technical Implementation Guide V-279074CAT IIColdFusion must control remote access to the Administrator Console.Adobe ColdFusion Security Technical Implementation Guide V-279075CAT IColdFusion must control remote access to Exposed Services.Adobe ColdFusion Security Technical Implementation Guide V-274027CAT IIAmazon Linux 2023 must have the firewalld package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274028CAT IIAmazon Linux 2023 must have the firewalld service active.Amazon Linux 2023 Security Technical Implementation Guide V-274158CAT IIAmazon Linux 2023 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.Amazon Linux 2023 Security Technical Implementation Guide V-268078CAT IINixOS must enable the built-in firewall.Anduril NixOS Security Technical Implementation Guide V-214259CAT IIThe Apache web server must restrict inbound connections from nonsecure zones.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214343CAT IIThe Apache web server must restrict inbound connections from nonsecure zones.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214388CAT IIThe Apache web server must restrict inbound connections from nonsecure zones.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222980CAT IILockOutRealms must be used for management of Tomcat.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-254612CAT IIApple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-258346CAT IIApple iOS/iPadOS 17 must implement the management setting: Disable Allow MailDrop.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-268033CAT IIApple iOS/iPadOS 18 must implement the management setting: disable Allow MailDrop.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278792CAT IIApple iOS/iPadOS 26 must implement the management setting: disable Allow MailDrop.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-276395CAT IIApple visionOS 2 must implement the management setting: disable Allow MailDrop.Apple visionOS 2 Security Technical Implementation Guide V-282804CAT IIApple visionOS 26 must implement the management setting: disable Allow MailDrop.Apple visionOS 26 Security Technical Implementation Guide V-204978CAT IIThe ALG providing intermediary services for remote access communications traffic must control remote access methods.Application Layer Gateway Security Requirements Guide V-204782CAT IIThe application server must control remote access methods.Application Server Security Requirements Guide V-256845CAT IICompliance Guardian must control remote access methods.AvePoint Compliance Guardian Security Technical Implementation Guide V-253517CAT IIDocAve must control remote access methods.AvePoint DocAve 6 Security Technical Implementation Guide V-237384CAT IIThe CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods.CA API Gateway ALG Security Technical Implementation Guide V-219161CAT IIThe Ubuntu operating system must have an application firewall installed in order to control remote access methods.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-219337CAT IIThe Ubuntu operating system must enable and run the uncomplicated firewall(ufw).Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238354CAT IIThe Ubuntu operating system must have an application firewall installed in order to control remote access methods.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-238355CAT IIThe Ubuntu operating system must enable and run the uncomplicated firewall(ufw).Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260514CAT IIUbuntu 22.04 LTS must have an application firewall installed in order to control remote access methods.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260515CAT IIUbuntu 22.04 LTS must enable and run the Uncomplicated Firewall (ufw).Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270654CAT IIUbuntu 24.04 LTS must have an application firewall installed in order to control remote access methods.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270655CAT IIUbuntu 24.04 LTS must enable and run the Uncomplicated Firewall (ufw).Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269245CAT IIThe firewalld service on AlmaLinux OS 9 must be active.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269358CAT IIAlmaLinux OS 9 must have the firewalld package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-215726CAT IIThe BIG-IP APM module access policy profile must control remote access methods to virtual servers.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215772CAT IIThe BIG-IP Core implementation providing intermediary services for remote access communications traffic must control remote access methods to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-203686CAT IIThe operating system must control remote access methods.General Purpose Operating System Security Requirements Guide V-267447CAT IIGoogle Android 15 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Google Android 15 COBO Security Technical Implementation Guide V-267542CAT IIGoogle Android 15 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Google Android 15 COPE Security Technical Implementation Guide V-276765CAT IIGoogle Android 16 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Google Android 16 COBO Security Technical Implementation Guide V-276867CAT IIGoogle Android 16 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Google Android 16 COPE Security Technical Implementation Guide V-255263CAT IISSMC web server must restrict connections from nonsecure zones.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-237818CAT IDoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255272CAT IThe HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283038CAT IIThe HPE Alletra Storage ArcusOS device must disable remote access.HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide V-274307CAT IIHoneywell Android 13 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Honeywell Android 13 COBO Security Technical Implementation Guide V-274402CAT IIHoneywell Android 13 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Honeywell Android 13 COPE Security Technical Implementation Guide V-215233CAT IAIX must be able to control the ability of remote login for users.IBM AIX 7.x Security Technical Implementation Guide V-250341CAT IApplication security must be enabled on the WebSphere Liberty Server.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255826CAT IThe WebSphere Application Server administrative security must be enabled.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255828CAT IIThe WebSphere Application Server users in a local user registry group must be authorized for that group.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223600CAT IIIBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.IBM z/OS ACF2 Security Technical Implementation Guide V-223821CAT IIIBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.IBM z/OS RACF Security Technical Implementation Guide V-224062CAT IIIBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.IBM z/OS TSS Security Technical Implementation Guide V-258587CAT IIIThe ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events.Ivanti Connect Secure VPN Security Technical Implementation Guide V-218812CAT IIThe IIS 10.0 web server must restrict inbound connections from non-secure zones.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-220972CAT IIThe Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 10 Security Technical Implementation Guide V-253495CAT IIThe "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 11 Security Technical Implementation Guide V-225004CAT IIThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225019CAT IIThe "Deny log on through Remote Desktop Services" user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205732CAT IIWindows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205733CAT IIWindows Server 2019 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254425CAT IIWindows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254439CAT IIWindows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278174CAT IIThe Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278188CAT IIThe Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.Microsoft Windows Server 2025 Security Technical Implementation Guide V-272188CAT IIMotorola Solutions Android 13 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Motorola Solutions Android 13 COBO Security Technical Implementation Guide V-272334CAT IIMotorola Solutions Android 13 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Motorola Solutions Android 13 COPE Security Technical Implementation Guide V-254098CAT IINutanix AOS must disable Remote Support Sessions.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-254124CAT IINutanix AOS must control remote access methods.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279532CAT IINutanix OS must configure the firewall to control remote access methods.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221297CAT IIRemote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221298CAT IIOHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221299CAT IIOHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221300CAT IIOHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221839CAT IIThe Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.Oracle Linux 7 Security Technical Implementation Guide V-248839CAT IIAn OL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.Oracle Linux 8 Security Technical Implementation Guide V-248840CAT IIA firewall must be installed on OL 8.Oracle Linux 8 Security Technical Implementation Guide V-248841CAT IIA firewall must be active on OL 8.Oracle Linux 8 Security Technical Implementation Guide V-271469CAT IIOL 9 must have the firewalld package installed.Oracle Linux 9 Security Technical Implementation Guide V-271470CAT IIOL 9 must be configured so that the firewalld service is active.Oracle Linux 9 Security Technical Implementation Guide V-271472CAT IIOL 9 must control remote access methods.Oracle Linux 9 Security Technical Implementation Guide V-228854CAT IIThe Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must control remote access methods (inspect and filter traffic).Palo Alto Networks ALG Security Technical Implementation Guide V-280955CAT IIRHEL 10 must have the "firewalld" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280956CAT IIRHEL 10 must have the "firewalld" service set to active.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280957CAT IIRHEL 10 must employ a deny-all, allow-by-exception policy for allowing connections to other systems.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281332CAT IIRHEL 10 must control remote access methods.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204577CAT IIThe Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230504CAT IIA RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230505CAT IIA firewall must be installed on RHEL 8.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-244544CAT IIA firewall must be active on RHEL 8.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257935CAT IIRHEL 9 must have the firewalld package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257936CAT IIThe firewalld service on RHEL 9 must be active.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-275608CAT IIUbuntu OS must have an application firewall installed to control remote access methods.Riverbed NetIM OS Security Technical Implementation Guide V-275609CAT IIUbuntu OS must enable and run the Uncomplicated Firewall (ufw).Riverbed NetIM OS Security Technical Implementation Guide V-261310CAT IISLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217261CAT IIThe SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-276539CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Samsung Android 16 COBO Security Technical Implementation Guide V-276645CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Samsung Android 16 COPE Security Technical Implementation Guide V-255122CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Samsung Android OS 13 with Knox 3.x COBO Security Technical Implementation Guide V-255151CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.Samsung Android OS 13 with Knox 3.x COPE Security Technical Implementation Guide V-258641CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key. - Disallow config tethering.Samsung Android OS 14 with Knox 3.x COBO Security Technical Implementation Guide V-258677CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.Samsung Android OS 14 with Knox 3.x COPE Security Technical Implementation Guide V-268952CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.Samsung Android OS 15 with Knox 3.x COBO Security Technical Implementation Guide V-269050CAT IISamsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Samsung Android OS 15 with Knox 3.x COPE Security Technical Implementation Guide V-279203CAT IIThe Edge SWG must control remote access methods.Symantec Edge SWG ALG Security Technical Implementation Guide V-241005CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.0 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-253088CAT IIA firewall must be installed on TOSS.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282486CAT IIThe firewalld service on TOSS 5 must be active.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240074CAT IHAProxy must redirect all http traffic to use https.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240075CAT IIHAProxy must restrict inbound connections from nonsecure zones.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240258CAT ILighttpd must be configured to utilize the Common Information Model Object Manager.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240259CAT IILighttpd must restrict inbound connections from nonsecure zones.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240498CAT IIThe SLES for vRealize must control remote access methods.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-240842CAT Itc Server ALL must be configured to the correct user authentication source.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240843CAT IItc Server HORIZON must be configured to use the https scheme.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240844CAT IItc Server VCAC must be configured to use the https scheme.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240949CAT IIThe vAMI account credentials must protected by site policies.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-239592CAT IIThe SLES for vRealize must control remote access methods.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-241697CAT Itc Server ALL must be configured to the correct user authentication source.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241698CAT IItc Server UI must be configured to use the https scheme.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241699CAT IItc Server CaSa must be configured to use the https scheme.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241700CAT IItc Server API must be configured to use the https scheme.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256400CAT IIThe ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-256647CAT IIVAMI must use cryptography to protect the integrity of remote sessions.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256742CAT IIEnvoy must exclusively use the HTTPS protocol for client connections.VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide V-258754CAT IIThe ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-259138CAT IIThe vCenter VAMI service must use cryptography to protect the integrity of remote sessions.VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide V-207435CAT IIThe VMM must control remote access methods.Virtual Machine Manager Security Requirements Guide V-207228CAT IIThe VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.Virtual Private Network (VPN) Security Requirements Guide V-206416CAT IIRemote access to the web server must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.Web Server Security Requirements Guide V-206417CAT IIThe web server must restrict inbound connections from nonsecure zones.Web Server Security Requirements Guide V-73773CAT IIThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.Windows Server 2016 Security Technical Implementation Guide V-73773CAT IIThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.Windows Server 2016 Security Technical Implementation Guide V-73775CAT IIThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.Windows Server 2016 Security Technical Implementation Guide V-73775CAT IIThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.Windows Server 2016 Security Technical Implementation Guide V-92963CAT IIWindows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.Windows Server 2019 Security Technical Implementation Guide V-92965CAT IIWindows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.Windows Server 2019 Security Technical Implementation Guide V-283531CAT IIZebra Android 14 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Zebra Technologies Android 14 COBO Security Technical Implementation Guide V-283633CAT IIZebra Android 14 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.Zebra Technologies Android 14 COPE Security Technical Implementation Guide