AC-17(5) — Monitoring for Unauthorized Connections

Actively monitor for unauthorized remote connections. Just having authentication is not enough — you need to watch for connections that bypass your official remote access channels.

Example 1: On your firewall, create rules that block common remote access ports (3389, 22, 5900) from the internet and log any attempts. In your SIEM, alert on any internal system with an active listener on these ports that is not on your approved remote access system list.

Example 2: Run a weekly network scan (Nessus, Qualys) specifically looking for unauthorized remote access services — TeamViewer, AnyDesk, ngrok, reverse SSH tunnels. Add these application signatures to your IDS/IPS and your application control whitelist. Alert when any are detected.