Back

Disable unnecessary applications, ports, and protocols on Wireless Access Points.


CONTROL ID
04835
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Configure Wireless Access Points in accordance with organizational standards., CC ID: 12477

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should take effective measures to address the risk of unauthorized downloading of customer data to portable storage media (e.g. USB drives) and loss of such media containing customer data. In this connection, AIs should disable the portable storage media ports of those computers of staff members… (Annex E. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices. T44.2: The organization shall securely set up computers that are connect… (T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Monitor LAN/WiFi regularly and remove unauthorised clients and WiFi access points. (Annex A2: Computer Network Security 10, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • The administrative interface on wireless access points is disabled for wireless network connections. (Control: ISM-1315; Revision: 2, Australian Government Information Security Manual, June 2023)
  • The administrative interface on wireless access points is disabled for wireless network connections. (Control: ISM-1315; Revision: 2, Australian Government Information Security Manual, June 2024)
  • The administrative interface on wireless access points is disabled for wireless network connections. (Security Control: 1315; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The administrative interface on wireless access points is disabled for wireless network connections. (Control: ISM-1315; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Unused physical ports on the network devices should be disabled on all devices classified below top secret. (Control: 0533, Australian Government Information Security Manual: Controls)
  • Unused physical ports on all network devices must be disabled on top secret devices. (Control: 0534, Australian Government Information Security Manual: Controls)
  • The organization should disable the administrative interface on Wireless Access Points. (Control: 1315, Australian Government Information Security Manual: Controls)
  • Wireless Access Points must have the WEP encryption and the Temporal Key Integrity Protocol disabled or removed. (Control: 1333, Australian Government Information Security Manual: Controls)
  • Management ports on network devices should be disabled when not in use. (§ 2.3.1 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Network devices should have management ports disabled when not in use. (§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • Network devices should have management ports disabled when not in use. (§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, 1)
  • Network devices should have management ports disabled when not in use. (§ 1.2 (2.3.1.030), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, 1)
  • Disable all unnecessary applications, ports, and protocols on Access Points (APs). (§ 4.2.1.E, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Firewalls, routers, and/or network-based intrusion protection systems should block with default-deny rules all ports and protocols that do not have an explicit and documented business need. (Critical Control 10.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and system functionality. CSR10.8.7: The organization must use automated mechanisms to centrally apply and verify configuration settings. The organization must… (CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, CSR 10.10.5(3), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The agency shall disable the ad hoc mode, unless the environment risk has been assessed and is tolerable. (§ 5.5.7.1(11), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall disable all nonessential management protocols on the access points. (§ 5.5.7.1(12), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall disable HyperText Transfer Protocol when it is not needed or protect the access to HyperText Transfer Protocol with authentication and encryption. (§ 5.5.7.1(12), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall prohibit and/or restrict the use of stated functions, ports, protocols, and services. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Enable the hotspot's port filtering/blocking features if present (§ 5.13.1.4 ¶ 2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Ensure all management access and authentication occurs via FIPS compliant secure protocols (e.g. SFTP, HTTPS, SNMP over TLS, etc.). Disable non-FIPS compliant secure access to the management interface. (§ 5.13.1.1 ¶ 2 13., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) cryptographic algorithms, used by all pre-802.11i protocols, do not meet the requirements for FIPS 140-2 and shall not be used. (§ 5.13.1.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Enable the hotspot's port filtering/blocking features if present (§ 5.13.1.4 ¶ 2 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Disable all nonessential management protocols on the APs. (§ 5.13.1.1 ¶ 2 12., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Do the procedures for client computers with wireless Network Interface Cards include disabling Simple Network Management Protocol, NetBIOS over TCP/IP, and all unnecessary Transmission Control Protocol services? (IT - WLANS Q 18d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. (SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should disable nonsecure networking protocols inside the Information System unless specifically authorized. (App F § AC-17(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Disable all insecure and unused management protocols (e.g., SNMPv1 and SNMPv2) on the APs, and configure remaining management protocols for least privilege (i.e., read only) unless write access is required (e.g., to change configuration settings as part of an automated incident response procedure). … (IMPLEMENTATION ¶ 1, Standard 643S1: Wireless Networks, 643S1-00)
  • Disable WEP and all other unused protocols in the configuration of each AP. (IMPLEMENTATION ¶ 3, Standard 643S1: Wireless Networks, 643S1-00)
  • Turn off communication ports (if possible) during periods of inactivity to minimize the risk of malicious access. (REQUIREMENTS: ¶ 1 Bullet 4, Standard 643S2: Wireless Clients, 643S2-00)