AC-17(8) — Disable Nonsecure Network Protocols

Disable nonsecure network protocols for remote access. If a protocol does not provide adequate encryption or authentication, turn it off.

Example 1: Disable Telnet (port 23) on all network devices and use SSH instead. On Cisco devices, run line vty 0 4 then transport input ssh. On your firewall, create a rule blocking outbound and inbound Telnet at the network boundary.

Example 2: Disable unencrypted FTP and replace it with SFTP or FTPS. On your Windows servers, uninstall the FTP feature if not needed, or configure IIS FTP to require SSL under FTP SSL Settings → Require SSL connections. Block port 21 on your firewall for good measure.