NIST Compliance

Compliance: NIST 800-171

The National Institute of Standards and Technology (NIST) Special Publication 800-171 is an important set of guidelines that aims to ensure the safety and confidentiality of sensitive federal data. Any organization that stores, processes, or transmits CUI for the Department of Defense, NASA, and any federal or state agency must be in compliance with NIST 800-171.

Here is a detailed look at how Desktop Central helps to achieve NIST 800-171

S.No Requirement Description How Desktop Central fulfills it?
3.1

Access Control

 
3.1.1

Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

Create local users and add them to a suitable group to provide them proper scope for systems using Desktop Central’s user management configuration.

3.1.2

Limit system access to the types of transactions and functions that authorized users are permitted to execute.

Create local users and add them to a suitable group to provide them with proper scopefor systems using Desktop Central’s user management configuration.

3.1.5

Employ the principle of least privilege, including for specific security functions and privileged accounts.

Using the Privileged Access Management solution, privileged user activity can be supervised with session shadowing capabilities and dual control on privileged access can be achieved. Local user accounts can be managed using user management configurations under Desktop Central.

3.1.7

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

Create local users and add them to a suitable group to provide them proper scope for systems using Desktop Central’s user management configuration.

Desktop Central has access to all systems’ Event Viewer to monitor the activities performed in each system. You can provide various category-based filters to monitor the required activities.

3.1.8

Limit unsuccessful logon attempts.

Deploy scripts that limit the number of logon attempts to all endpoints from a centralized console with Desktop Central’s custom script configuration.

3.1.9

Provide privacy and security notices consistent with applicable CUI rules.

Desktop Central's Legal Notice configuration enables you to display important announcements and legal notices throughout the enterprise. The configured message will be displayed whenever the user presses ctrl+alt+del to login.

3.1.10

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

Force the screen to sleep or hibernate after a specified duration of inactivity with Desktop Central’s power management configuration. You can also configure whether the password should be required after sleep or not.

3.1.12

Monitor and control remote access sessions.

Block outbound remote control ports for specified users or computers using Desktop Central’s firewall configuration to prevent unprivileged remote sessions.

3.1.13

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

Remote Control feature of Desktop Central is supported in HTTPS to protect the confidentiality of remote access sessions.

3.1.15

Authorize remote execution of privileged commands and remote access to security-relevant information.

Deploy privileged commands to multiple computers and control systems' displays remotely from Desktop Central’s centralized console.

3.1.18

Control connection of mobile devices.

Prevent unauthorized mobile devices from connecting to your organization’s network with Desktop Central’s SCEP certificate distribution feature.

Deploy profiles to all mobile devices based on their platform to restrict mobile device usage including anonymous activities on them.

3.1.19

Encrypt CUI on mobile devices and mobile computing platforms.

Containerize CUI on mobile devices using Desktop Central’s mobile device management capabilities. If any malicious activity, like data theft, is discovered, the device can be wiped remotely. Desktop Central also provides the option to secure devices with passwords that adhere to predefined complexity requirements.

3.1.20

Verify and control/limit connections to and use of external systems.

Desktop Central's Device Control Plus add-on provides features to restrict the usage of USB devices. By assigning strict device policies using a device control solution, you can instantly identify the devices connected to your endpoints.

3.1.21 Limit use of portable storage devices on external systems.

Desktop Central's Device Control Plus add-on provides features to restrict the usage of USB devices and other portable storage devices to prevent theft of the CUI stored in systems.

3.1.22

Control CUI posted or processed on publicly accessible systems.

Restrict users from publicly posting CUI via a browser by blacklisting websites or website groups with Desktop Central’s browser management add-on.

Desktop Central's app control add-on helps to authorize only approved software to run in your publicly accessible systems. The Device Control Plus add-on helps block/unblock removable storage devices in publicly accessible systems, keeping your organization's systems secure.

3.3

Audit & accountability

 

3.3.1

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

Desktop Central has access to all systems’ Event Viewer to monitor the activities performed in each system. You can also provide various category-based filters to monitor the required activities.

3.3.2

Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

Desktop Central provides User Log on Report to track the user login and logoff history in the managed endpoints.
The actions performed by the admin and technicians in the web-console of the product is logged for better auditing.

3.3.3

Review and update logged events.

Desktop Central has access to all systems’ Event Viewer to monitor the activities performed in each system. You can also provide various category-based filters to monitor the required activities.

3.4

Configuration Management

 

3.4.1

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

Desktop Central can maintain an inventory of organizational systems, including hardware and software. You can deploy a baseline configuration to systems using Desktop Central.

3.4.2

Establish and enforce security configuration settings for information technology products employed in organizational systems.

Deploy security policies in endpoints with Desktop Central’s security policy configuration.

Identify the security misconfigurations in systems and remediate them from a centralized console with Desktop Central’s VMP add-on.

Blacklist or whitelist applications and stand-alone EXEs with Desktop Central’s app control add-on to prevent unauthorized applications from performing malicious activities.

Secure browser usage in your organization’s systems using Desktop Central’s browser management add-on.

Encrypt the hard drives of your organization’s systems with Desktop Central’s Bitlocker add-on.

Secure your systems by allowing or blocking removable and portable devices using Desktop Central’s Device Control Plus add-on.

3.4.3

Track, review, approve or disapprove, and log changes to organizational systems.

Desktop Central's Vulnerability Manager Plus add-on periodically scans systems to identify any breaches of security misconfigurations and remediate them in a single click. All hardware and software changes are tracked in a timely manner. Desktop Central also tracks patches and software updates. You can remediate those changes by deploying configurations.

3.4.4

Analyze the security impact of changes prior to implementation.

Using the 'Test and Approve' feature under Patch Management provided by Desktop Central enables you to view the compatibility of the patch update with the systems in the network prior deployment of the patches. Desktop Central provides the feature test deployment for specific targets for other modules like configurations and software deployment.

3.4.5

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational system.

Enforce logical restrictions catering to your needs using the various User Configurations settings found under Desktop Central's configuration module.

3.4.6

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Desktop Central's Application Control Plus add on does an essential part of privilege bracketing with respect to applications and their privileged access, which enables enterprises to establish the Principle Of Least Privilege(POLP) without worrying about productivity drops.

3.4.7

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Blacklist or whitelist applications and stand-alone EXEs to prevent unauthorized applications from performing malicious activities using Desktop Central’s app control add-on.

Block or allow specific ports in both inbound and outbound connections with Desktop Central’s firewall configuration.

Delete unapproved services from all machines using Desktop Central’s service configuration.

Restrict the use of portable storage devices and Bluetooth with Desktop Central’s Device Control Plus add-on to avoid theft of CUI stored in machines.

3.4.8

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Blacklist or whitelist applications across your organization or only for a specific group with Desktop Central’s app control add-on.

3.4.9

Control and monitor user-installed software.

Desktop Central provides you with a Self-Service Portal that allows you to publish software to the target users/computers. Unlike manual software deployment, you can publish the list of software to the group (target users/computers). You can empower the users to install software based on their needs. The Application Control Plus add-on provides a blacklisting feature which enables you to associate an application blacklist with different custom groups while keeping in consideration a user’s role in the enterprise.

3.5

Identification & Authentication

 

3.5.1

Identify system users, processes acting on behalf of users, and devices.


 

Desktop Central's System Manager enables administrators to perform various system management tasks. For example, viewing the list of users of the managed computers. The list of devices associated to each computer and the choice to enable/disable the drivers related to the devices is also provided by Desktop Central.


System users, processes and services running in the machines can be identified and viewed using Desktop Central. Common device identifiers like MAC and IP are available.


Custom fields can be added and the endpoints can be marked with different identifiers according to your requirement.

3.5.2

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems.

The list containing the users of the managed computers and the list of devices associated to them is accessible under Tools>System Manager. System manager also provides a list of running processes on systems which can be killed or managed as required. Privileged access can be enabled using MDM and Application Control modules.

3.5.7

Enforce a minimum password complexity and change of characters when new passwords are created.

Enforce password complexity using a custom script in Desktop Central.

3.5.9

Allow temporary password use for system logons with an immediate change to a permanent password.

The User Management Configuration of Desktop Central allows you to define the scope of a user and specify a username and password.

3.7

Maintenance

 

3.7.1

Perform maintenance on organizational systems.

Desktop Central offers configurations that help you manage applications, system settings, desktop settings, and security policies. Desktop Central also offers a wide range of tools with which you can perform a variety of operations while troubleshooting for maintaining the organizational systems.

3.7.5

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Desktop Central provides multi factor authentication using two factor authentication. When two-factor authentication is enabled, users will be prompted to enter the One Time Password (OTP) along with their default password. Desktop Central supports two-factor authentication in two modes, using email and Google authenticator. The Remote Desktop Sharing feature in Desktop Central enables you to access remote computers in a network which can be used for non-local maintenance purposes.

3.7.6

Supervise the maintenance activities of maintenance personnel without required access authorization.

Utilize Desktop Central's remote control, with a view-only mode option, to supervise maintenance personnel’s activity on endpoints.

3.8

Media protection

 

3.8.1

Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

Restrict the use of removable storage media using Desktop Central's Device Control Plus add-on.

3.8.2

Limit access to CUI on system media to authorized users.

Control, block and monitor USB and peripheral devices using Desktop Central's Device Control Plus add-on. The Drive Mapping configuration under Desktop Central enables you to map a remote network resource to the user machines and eases the process.

3.8.3

Sanitize or destroy system media containing CUI before disposal or release for reuse.

Delete files that contain CUI from your organization’s systems with Desktop Central’s file folder operation.

3.8.5

Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.

ManageEngine's Device Control Plus add on enables you to manage USB devices and provides features such as file tracing and file shadowing that aid you in establishing flexible but extensive control over file operations. It can help you apply protocols to manage and effectively protect all data traveling within or across network perimeters. Shares and network drives can be managed using the drive mapping configurations in Desktop Central.

3.8.7

Control the use of removable media on system components.

Control the use of all types of removable media with more advanced options using Desktop Central’s Device Control Plus add-on.

3.8.9

Protect the confidentiality of backup CUI at storage locations.

Protect the CUI backups stored in systems by encrypting the hard drives that store those backups using Desktop Central’s Bitlocker add-on.

3.9

Personnel security

 

3.9.2

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Remotely wipe systems in case of personnel terminations and transfers with Desktop Central’s remote wipe capability. Before wiping the data, you can back up the folder using the product’s folder backup configuration. You can also move those backup files to the secured systems repository using the file folder configuration.

3.11

Risk Assessment

 

3.11.1

Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

Each Desktop Central module has predefined reporting functionalities so you can audit information related to your organization’s systems, which helps to take further actions to strengthen the security of CUI. You can fetch the status of your systems with the security add-on and provide this information as built-in reports. After reviewing the status of the systems’ security health, you can perform the necessary actions right from the reports.

3.11.2

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Desktop Central’s Vulnerability Manager Plus add-on scans your organization’s systems periodically to discover software vulnerabilities and remediate them through patching. It also finds security misconfigurations and allows you to remediate them in bulk through a centralized console.

3.11.3

Remediate vulnerabilities in accordance with risk assessments.

Desktop Central's Vulnerability Manager Plus add-on periodically scans systems to discover vulnerabilities and remediate them through patching, helping to reduce risk.

Vulnerability Manager Plus also finds security misconfigurations in organizational systems and allows you to remediate them in bulk through a centralized console.

3.12

Security Assessment

 

3.12.1

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Each of Desktop Central's modules offer predefined reporting to help audit information related to organizational systems, which helps you take further actions to strength the security of CUI. You can fetch the status of your organization’s systems and provide this information as built-in reports with the security add-on. Review the status of your systems’ security health and perform the necessary actions right from the reports.

3.12.2

Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Identify vulnerabilities with periodic scanning and correct deficiencies by deploying missing patches to systems using Desktop Central’s patching capability. Desktop Central's Vulnerability Manager Plus add-on finds security misconfigurations in your organization’s systems and allows you to remediate them in bulk through a centralized console.

3.12.3

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

The data about the security status of the endpoints managed in your network is provided by Desktop Central which can aid you in monitoring and ensuring that there is no loss of effectiveness of the controls over time.

3.13

System & communication

 

3.13.1

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Desktop Central's firewall configuration helps you block or allow inbound or outbound communications on systems using specified ports. This helps minimize attacks through anonymous ports.

3.13.4

Prevent unauthorized and unintended information transfer via shared system resources.

Desktop Central provides data access control information, including the folders that are shared with various permission levels. Permission management helps revoke permissions for those folders.

3.13.16

Protect the confidentiality of CUI at rest.

Desktop Central provides information on which folders are shared with what level of permissions. This data access control information helps mitigate the risk of CUI being shared with full or write-level permission.

Encrypt your systems’ hard disks with Desktop Central’s Bitlocker add-on to ensure the CUI stored on those systems is secure.

3.14

System and information integrity

 

3.14.1

Identify, report, and correct system flaws in a timely manner.

Identify systems with security misconfigurations and missing patches, service packs, and antivirus definition updates with Desktop Central’s vulnerability scanning, and remediate these flaws from a centralized console.

3.14.3

Monitor system security alerts and advisories and take actions in response.

Desktop Central provides event logs (classified as errors, information messages and warnings) which help in auditing and troubleshooting. Using the vulnerability module gives you an assessment of the security posture of the managed endpoints.

3.14.6

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Block or allow inbound and outbound connections on systems with Desktop Central’s firewall configuration; this helps minimize attacks through anonymous ports.

3.14.7

Identify unauthorized use of organizational systems.

Track the use of USB devices on each system using Desktop Central’s USB audit feature. Detect systems that contain unapproved applications and uninstall that software using Desktop Central.