2. Users Management

CIS Guidelines for securing a pfSense Firewall

2.1 Ensure Sessions Timeout is set to less than or equal to 10 minutes

Description:

The session inactivity timeout setting represents the amount of time a user can be inactive before the user's session times out and closes. It only affects user browser sessions.

Rationale:

Indefinite or even long session timeout window increase the risk of attackers abusing abandoned sessions

Audit:

In the GUI:

- Navigate to System > User Manager
- Click the Setting at the top.
- Check on the 'Session Timeout' field.

Default Value: Username listed will be: 'admin'

Remediation:

In the GUI:

- Navigate to System > User Manager
- CLIck the Setting at the top.
- set 10 in the 'Session Timeout' field.
- Click Save

CIS Controls:

Controls Version

Control

14.3 Configure Automatic Session Locking on Enterprise

Assets

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.

16.11 Lock Workstation Sessions After Inactivity

Automatically lock workstation sessions after a standard period of inactivity.

2.2 Ensure LDAP or RADIUS server configured

Description:

Configured the LDAP Servers or Radius server for central authentication.

Rationale:

Authentication, authorization and accounting (AAA) scheme provide an authoritative source for managing and monitoring access for devices.

Audit:

In the GUI:

- Navigate to System > User Manager.
- CLIck the Authentication Servers at the top.
- Check "Authentication Servers" Setting

Default Value: Local Database

Remediation:

In the GUI:

- Navigate to System > User Manager.
- CLIck the Authentication Servers at the top.
- Configure "Authentication Servers" Setting

CIS Controls:

Controls Version

Control

5.6 Centralize Account Management

Centralize account management through a directory or identity service.

16.2 Configure Centralized Point of Authentication

Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.

Description:

Set the Console Menu to password protected.

Rationale:

An unattended computer with an open Console Menu session to the device could allow an unauthorized user access to the firewall’s management.

Audit:

- Navigate to System > Advanced > Admin Access.
- Check "Console Options" Setting

Default Value: 'Console menu' will be unchecked

Remediation:

In the GUI:

- Navigate to System > Advanced > Admin Access.
- Set "Console Options" Setting
- CLIck "Save"

CIS Controls:

Controls Version

Control

5.2 Use Unique Passwords

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.

4.4 Use Unique Passwords

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.

2.4 Ensure all default accounts are either disabled or utilize strong passwords

Description:

Disable the known default accounts configured. Note: The default admin account must remain enabled for high availability synchronization to work. Disabling it could cause issues.

Rationale:

Default accounts are accounts with predefined usernames and passwords that are typically included with software and hardware devices. Attackers often target default accounts because they are widely known and can be used to gain unauthorized access to a system. To prevent unauthorized access, all default accounts should either be disabled or have their passwords changed.

Audit:

In the GUI:

- Navigate to System > User Manager > Users
- View the default users

Default Value: 'admin' is the only default user

Remediation:

In the GUI:

- Navigate to System > User Manager > Users
- Remove any default users that are not used.

Note: The default admin account must remain enabled for high availability synchronization to work. Disabling it could cause issues.

Additional Information:

The known default accounts are often (without limiting to) the following: 'admin', 'guest', 'user', 'root', 'administrator', 'operator', 'supervisor', and 'demo'. It is important to change the passwords of these accounts to prevent attackers from using them to gain unauthorized access to the system. The use of strong, unique passwords for all user accounts is also recommended to further enhance security.

CIS Controls:

Controls Version

Control

4.7 Manage Default Accounts on Enterprise Assets and

Software

Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.

16.9 Disable Dormant Accounts

Automatically disable dormant accounts after a set period of inactivity.

Previous1. General Setting Policy Nextsec.lab

Last updated 2 years ago

hashtag2.1 Ensure Sessions Timeout is set to less than or equal to 10 minutes

hashtag2.2 Ensure LDAP or RADIUS server configured

hashtag2.3 Ensure Console Menu is Password Protected

hashtag2.4 Ensure all default accounts are either disabled or utilize strong passwords

2.1 Ensure Sessions Timeout is set to less than or equal to 10 minutes

2.2 Ensure LDAP or RADIUS server configured

2.3 Ensure Console Menu is Password Protected

2.4 Ensure all default accounts are either disabled or utilize strong passwords