Free DISA STIG and SRG Library | Vaulted

V-3080

The Configuration auto-loading feature must be disabled when connected to an operational network.

Finding ID
NET0760
Rule ID
SV-3080r3_rule3080r4_rule
Severity
Cat II
CCE
(None)
Group Title
Configuration auto-loading must be disabled.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Devices can find their startup configuration either in their own NVRAM or access it over the network via TFTP or Remote Copy (rcp). Loading the image from the network is taking a security risk since the image could be intercepted by an attacker who could corrupt the image resulting in a denial of service. Configuration auto-loading can be enabled when the device is connected to a non-operational network. Once the device is connected to an operational (i.e. production) network, configuration auto-loading must be disabled.

Fix Text

Disable the configuration auto-loading feature, when connected to an operational network.

Check Content

Review the device configuration to determine if the configuration auto-loading feature is disabled. If the configuration auto-loading feature is enabled when the device is connected to an operational network, this is a finding.

Responsibility

Information Assurance Officer