NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(16)Prevent Discovery of System Components

Prevent the discovery of specific system components that represent a managed interface.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Preventing the discovery of system components representing a managed interface helps protect network addresses of those components from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery and require prior knowledge for access. Preventing the discovery of components and devices can be accomplished by not publishing network addresses, using network address translation, or not entering the addresses in domain name systems. Another prevention technique is to periodically change network addresses.

Practitioner Notes

This control prevents external parties from discovering what systems, services, and network components you have. The less attackers know about your infrastructure, the harder it is to target you.

Example 1: Configure your external DNS to only expose records that are absolutely necessary — your mail server MX record, your website A record. Remove any internal hostnames, HINFO records, or TXT records that reveal software versions or internal naming conventions.

Example 2: On your web servers, suppress version banners. Configure Apache to set ServerTokens to "Prod" and ServerSignature to "Off." On IIS, remove the X-Powered-By header. On your firewall, disable ICMP responses to external probes so port scans reveal as little as possible.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability