AC-17-727 Remote Access

Remote Access

Control ID

AC-17-727

Control Name

Remote Access

Control Category

Access Control

Functional Areas

Protect

Sub-Areas

Internet Content Filtering, Portable and Remote Computing

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

August 17, 2016

Agency Implementation

All remote access to Agency-owned information resources shall be conducted using the Microsoft Remote Desktop Protocol (RDP) or Secure Shell (SSH) service. RDP and SSH shall be configured to enforce TLS connections; insecure connection requests shall be denied. No public access to RDP or SSH shall be permitted; all connections must either initiate within the Agency's protected network or via a secure gateway. Users must be explicitly authorized for remote access to a workstation with the approval of the information resource owner.

Risk Statement

Users of corporate information systems expose business information to exploitable vulnerabilities when using teleworking solutions.

Control Description

The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections.

Control Example

a. Remote access is not permitted without explicit approval. b. Access to corporate network is only provided when using VPN while working remotely.

State Implementation

The state organization establishes, documents, and reviews usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. All remote access connections must be authorizes prior to allowing such connections.

Testing Procedures

Obtain access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records and ascertain if (I) the organization authorizes, monitors, and controls remote access to the information system for all allowed methods of remote access to include both establishment of the remote connection and subsequent user actions across that connection. (ii) the information system employs automated mechanisms to facilitate the monitoring and control of remote access methods. (iii) the information system employs cryptography to protect the confidentiality and integrity of remote access sessions.