TickYouOff
Sign in
Back
🔒

Cisco IOS Router STIG (Y26M01) Checklist

Medium 22 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps network administrators apply the Cisco IOS Router STIG (Y26M01) hardening controls to Cisco IOS devices. It’s for teams or individuals responsible for router security, compliance, and operational hardening in managed environments.

Source: https://ncp.nist.gov/checklist/931

Progress
0 / 22
  1. Backup current router configuration — Save running-config to startup-config and export a copy to a secure server or repository.
  2. Verify device inventory and IOS firmware version — Record model, serial, and exact IOS release to confirm STIG applicability.
  3. Apply latest approved IOS image if required — Install vendor-approved images that address security fixes and vulnerabilities.
  4. Disable unused interfaces — Administratively shut down interfaces that carry no authorized traffic.
  5. Disable HTTP, FTP, and Telnet services — Turn off legacy/cleartext services unless explicitly required and justified.
  6. Enforce secure management protocols — Consolidate management on secure channels and restrict access to management plane.
  7. Enable SSH and disable Telnet — Use SSH for CLI management; ensure only modern SSH versions/ciphers are allowed.
  8. Configure AAA authentication and authorization — Use local or external RADIUS/TACACS+ for authentication and logging of admin access.
  9. Set login banners and enable password encryption — Apply legal banner and service password-encryption or secret hashing.
  10. Configure strong authentication and password policies — Enforce complex passwords, minimum lengths, and account lockout where supported.
  11. Implement role-based access control or fine-grained AAA roles — Assign least-privilege operator roles and avoid shared accounts.
  12. Configure access control lists for management plane — Restrict which IPs/networks can reach management services (SSH, SNMP, HTTP(S)).
  13. Configure secure SNMP settings — Avoid SNMPv1/v2c; prefer SNMPv3 with auth and encryption.
  14. Use SNMPv3 with authentication and encryption — Create SNMPv3 users with strong auth/privacy settings.
  15. Restrict SNMP access using ACLs — Only allow management stations to query SNMP.
  16. Enable and verify NTP synchronization — Point devices to authenticated, trusted NTP sources for accurate timestamps.
  17. Configure centralized logging and monitoring — Send logs to a secure syslog server and enable logging timestamps.
  18. Set logging host and enable timestamps — Configure syslog server IPs and log facility levels.
  19. Enable Control Plane Policing or rate limiting — Protect control plane from excessive traffic and basic DoS conditions.
  20. Harden cryptographic settings for management protocols — Disable weak ciphers, enable TLS for web management, and enforce strong SSH algorithms.
  21. Run a compliance scan and remediate findings — Use STIG tools or automated scanners and address high-risk findings first.
  22. Document configuration changes and update compliance records — Record changes, store configs, and note STIG check statuses for audits.
Sign in to save
📝 My Notes