Security Control 11:
Limitation and Control of Network Ports, Protocols, and Services

Allow remote access only to legitimate users and services: Apply host-based firewalls and port-filtering and -scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

11.1

Any server that is visible from the Internet or an untrusted network should be verified, and if it is not required for business purposes it should be moved behind a firewall or internal VLAN.

REQ REQ REQ

11.2

Host-based firewalls or port filtering tools should be applied on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

REQ REQ REC

11.3

Automated port scans should be performed on a regular basis against all key servers and compared to a known effective baseline. If a new port is found open, an alert should be generated and reviewed.

REQ REQ REC

11.4

Operate critical services on separate machines. Critical services can include DNS, file, mail, web, and database servers.

REQ REQ REC

11.5

Application firewalls should be placed in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized services or traffic should be blocked and an alert generated.

REC REC OPT

Additional Reading