TickYouOff
Sign in
Back
🔒

Cisco ISE STIG Checklist

Hard 22 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps administrators implement the Cisco Identity Services Engine (ISE) STIG to secure ISE deployments and meet DoD compliance. It’s intended for system and security administrators responsible for configuration, auditing, and remediation.

Source: https://ncp.nist.gov/checklist/994

Progress
0 / 22
  1. Download official Cisco ISE STIG package — Get the latest XCCDF/STIG from the Cyber Exchange or DISA site.
  2. Verify ISE software version matches STIG scope — Confirm vendor version and platform are covered by the STIG.
  3. Backup current ISE configuration — Export full config and certificates before changes.
  4. Apply latest security patches and updates — Install vendor security patches and hotfixes on ISE nodes.
  5. Configure NTP to central time source — Point ISE to an authenticated NTP server for accurate logs.
  6. Configure Syslog forwarding to central server — Ensure logs are forwarded for centralized auditing.
  7. Point ISE to central Syslog server — Set server IP/port and protocol (TCP/UDP/TLS) in ISE settings.
  8. Set log severity and retention policy — Configure severity levels and retention consistent with STIG.
  9. Enable and configure audit logging — Turn on detailed auditing for admin actions and authentication events.
  10. Configure LDAP/AD integration for authentication — Integrate ISE with directory services for user auth and groups.
  11. Verify LDAP TLS certificates and trust chains — Ensure secure LDAPS with valid CA-signed certs.
  12. Test LDAP bind and role mappings — Validate bind credentials and that group-to-role mapping works.
  13. Harden admin accounts and enforce MFA — Require strong passwords, account lockouts, and MFA for admins.
  14. Remove or disable default administrative accounts — Eliminate unused default accounts and rename default admin if possible.
  15. Restrict management interface access with ACLs or firewall rules — Limit IPs allowed to access GUI, CLI, and API endpoints.
  16. Disable unused services and network ports — Turn off services (e.g., unnecessary protocols) to reduce attack surface.
  17. Configure certificate management and rotation — Plan and enforce timely renewal of server and trust certificates.
  18. Install trusted CA-signed certificates — Replace self-signed certs with CA-signed certs for interfaces.
  19. Ensure device profiling and posture policies are enabled and tuned — Verify profiling, posture checks, and remediation flows are active.
  20. Test policy enforcement and device compliance — Simulate endpoints to confirm policies block or quarantine noncompliant devices.
  21. Run compliance scan using the STIG XCCDF and remediate findings — Execute automated STIG scan, review results, and remediate prioritized issues.
  22. Document configuration changes, approvals, and maintenance plan — Record changes, ticket/approval references, and schedule future audits.
Sign in to save
📝 My Notes