STIGQter: STIG Summary: Forescout Network Device Management Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 20 Nov 2020:

Forescout must enforce access restrictions associated with changes to the firmware, OS, USB port, and console port.

DISA Rule

SV-230951r615886_rule

Vulnerability Number

V-230951

Group Title

SRG-APP-000516-NDM-000335

Rule Version

FORE-NM-000240

Severity

CAT II

CCI(s)

• CCI-000345 - The organization enforces logical access restrictions associated with changes to the information system.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure Forescout to prevent access to change the software resident within software libraries for unauthorized personnel.

View each of the Forescout user group accounts associated with the external user directory groups (e.g., RADIUS, Active directory, LDAP).

Perform the following actions for each group:
1. Log on to the Forescout Console and select Tools >> Options >> Console User Profiles.
2. Select the user group that is not authorized access according to the SSP.
3. Select "Edit" and the "Permissions" tab.
4. Verify the options for "Module Management" or "Software Upgrade" are not selected.

Check Contents

Check Forescout to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators.

1. Log on to the Forescout Administrator UI with admin or operator credentials.
2. From the menu, select Tools >> Options >> CounterACT User Profiles.
3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit".
4. Verify the non-administrator account selected does not have "update" on the "Permissions" tab for "Forescout Appliance Configuration".

If unauthorized users are allowed to change the hardware or software, this is a finding.

Vulnerability Number

V-230951

Documentable

False

Rule Version

FORE-NM-000240

Severity Override Guidance

Check Forescout to determine if only authorized administrators have permissions for changes, deletions, and updates on the network device. Inspect the maintenance log to verify changes are being made only by the system administrators.

1. Log on to the Forescout Administrator UI with admin or operator credentials.
2. From the menu, select Tools >> Options >> CounterACT User Profiles.
3. Select (highlight) the user profile to be reviewed (group or user) and then select "Edit".
4. Verify the non-administrator account selected does not have "update" on the "Permissions" tab for "Forescout Appliance Configuration".

If unauthorized users are allowed to change the hardware or software, this is a finding.

Check Content Reference

M

Target Key

5245

Comments