9 – Access Control
In the Reports Portal, select > > > > Dashboards or Reports > .
Control 9: Access Control of the ISO 27002 standard focuses on preventing unauthorized user access to information and the facilities that process information.
To assess your enterprise's compliance with this requirement, use the following dashboard and reports:
| Dashboards | Reports |
|---|---|
|
Authentication with Null Sessions |
|
-
Account Lockouts by User
-
Reports the accounts most often locked out. The table provides results about the locked out user, the target IP address and host name, the number of event, and when the most recent event occurred.
-
Reports all successful, failed, and attended login activity by all users in the network. The table provides results by the IP address and name of the target system, the source IP address, the user involved, the outcome of the login attempt, the number of attempts, and when the most recent attempt occurred.
-
Reports possible null authentication sessions where the outcome is successful, failed, or an attempt. A null session attack exploits an authentication vulnerability for Windows Administrative Shares where a malicious user connects to a local or remote share without authentication. The table provides results by the target IP address and user, the source IP address and user, the outcome of the authentication attempt, the number of attempts, and when the most recent attempt occurred.
-
Reports authorization changes made on systems and the number of events per host. The table provides results by the target zone, IP address, and user; the source user, the type of event, the number of attempts, and when the most recent attempt occurred.
-
Reports all changes made to privileged accounts, such as password changes. The table provides results by the event, the name and IP address of the user who made the change, and when the change occurred.
-
Reports the access rights removed from user accounts. The table provides results by the access right that was removed, the IP address and host where the change was made, the user who made the change, the number of changes, and when the change occurred.
-
Reports the details of successful brute force logins. The table provides results by the user logging in, the IP address and host affected, the number of logins and when the event occurred.
-
Reports login sessions where the user is unauthorized for the specific network domain. The table provides results by the user attempted access, the target IP address and host, the source IP address for the user, the outcome of the attempt, the number of attempts, and when the event occurred.
-
To specify authorized users and network domains, update the variables and . For more information, see the Solutions Guide for ArcSight Compliance Pack for IT Governance.
-
Reports all events that indicate a user account has been added to a system. The table provides results by the IP address and host where the event occurred, the user adding accounts, the number of events, and when the event occurred.
-
Reports all events that indicate a user account has been removed from a system. The table provides results by the IP address and host where the event occurred, the user removing accounts, the number of events, and when the event occurred.
-
Provides, in charts, details of scans, probes, and unauthorized access. You can view the number of accounts created and deleted by the user making the change, as well as the hosts that have been added or deleted.