Limit Access to Resource Over Network, Mitigation M1035 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>Limit Access to Resource Over Network, Mitigation M1035 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" />  <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/mitigations">Mitigations</a></li> <li class="breadcrumb-item">Limit Access to Resource Over Network</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Limit Access to Resource Over Network </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> M1035</div> <div class="card-data"><span class="h5 card-title">Version:</span> 1.0</div> <div class="card-data"><span class="h5 card-title">Created: </span>11 June 2019</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>09 June 2020</div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of M1035" href="/versions/v15/mitigations/M1035/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of M1035" href="/mitigations/M1035/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div>  <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&CK<sup>®</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v15/mitigations/M1035/M1035-enterprise-layer.json" download target="_blank">download</a>  <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v15/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v15/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "mitigations/M1035/M1035-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div>  <h2 class="pt-3 mb-2" id="techniques">Techniques Addressed by Mitigation</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1557">T1557</a> </td> <td> <a href="/versions/v15/techniques/T1557">Adversary-in-the-Middle</a> </td> <td> <p>Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1557/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1557/002">ARP Cache Poisoning</a> </td> <td> <p>Create static ARP entries for networked devices. Implementing static ARP entries may be infeasible for large networks.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1612">T1612</a> </td> <td> <a href="/versions/v15/techniques/T1612">Build Image on Host</a> </td> <td> <p>Limit communications with the container service to local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API on port 2375. Instead, communicate with the Docker API over TLS on port 2376.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021."data-reference="Docker Daemon Socket Protect"><sup><a href="https://docs.docker.com/engine/security/protect-access/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1609">T1609</a> </td> <td> <a href="/versions/v15/techniques/T1609">Container Administration Command</a> </td> <td> <p>Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021."data-reference="Docker Daemon Socket Protect"><sup><a href="https://docs.docker.com/engine/security/protect-access/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021."data-reference="Kubernetes API Control Access"><sup><a href="https://kubernetes.io/docs/concepts/security/controlling-access/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023."data-reference="Kubernetes Cloud Native Security"><sup><a href="https://kubernetes.io/docs/concepts/security/overview/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023."data-reference="Microsoft AKS Azure AD 2023"><sup><a href="https://learn.microsoft.com/en-us/azure/aks/managed-aad" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1613">T1613</a> </td> <td> <a href="/versions/v15/techniques/T1613">Container and Resource Discovery</a> </td> <td> <p>Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021."data-reference="Docker Daemon Socket Protect"><sup><a href="https://docs.docker.com/engine/security/protect-access/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021."data-reference="Kubernetes API Control Access"><sup><a href="https://kubernetes.io/docs/concepts/security/controlling-access/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023."data-reference="Kubernetes Cloud Native Security"><sup><a href="https://kubernetes.io/docs/concepts/security/overview/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023."data-reference="Microsoft AKS Azure AD 2023"><sup><a href="https://learn.microsoft.com/en-us/azure/aks/managed-aad" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1610">T1610</a> </td> <td> <a href="/versions/v15/techniques/T1610">Deploy Container</a> </td> <td> <p>Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API, Kubernetes API Server, and container orchestration web applications.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021."data-reference="Docker Daemon Socket Protect"><sup><a href="https://docs.docker.com/engine/security/protect-access/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021."data-reference="Kubernetes API Control Access"><sup><a href="https://kubernetes.io/docs/concepts/security/controlling-access/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023."data-reference="Kubernetes Cloud Native Security"><sup><a href="https://kubernetes.io/docs/concepts/security/overview/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023."data-reference="Microsoft AKS Azure AD 2023"><sup><a href="https://learn.microsoft.com/en-us/azure/aks/managed-aad" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v15/techniques/T1546/008">.008</a> </td> <td> <a href="/versions/v15/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v15/techniques/T1546/008">Accessibility Features</a> </td> <td> <p>If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Microsoft. (n.d.). Overview of Remote Desktop Gateway. Retrieved June 6, 2016."data-reference="TechNet RDP Gateway"><sup><a href="https://technet.microsoft.com/en-us/library/cc731150.aspx" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1133">T1133</a> </td> <td> <a href="/versions/v15/techniques/T1133">External Remote Services</a> </td> <td> <p>Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1200">T1200</a> </td> <td> <a href="/versions/v15/techniques/T1200">Hardware Additions</a> </td> <td> <p>Establish network access control policies, such as using device certificates and the 802.1x standard. <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018."data-reference="Wikipedia 802.1x"><sup><a href="https://en.wikipedia.org/wiki/IEEE_802.1X" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span> Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1542">T1542</a> </td> <td> <a href="/versions/v15/techniques/T1542">Pre-OS Boot</a> </td> <td> <p>Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1542/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1542/005">TFTP Boot</a> </td> <td> <p>Restrict use of protocols without encryption or authentication mechanisms. Limit access to administrative and management interfaces from untrusted network sources. </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1563">T1563</a> </td> <td> <a href="/versions/v15/techniques/T1563/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1563">Remote Service Session Hijacking</a>: <a href="/versions/v15/techniques/T1563/002">RDP Hijacking</a> </td> <td> <p>Use remote desktop gateways.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v15/techniques/T1021">Remote Services</a> </td> <td> <p>Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1021/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p>Use remote desktop gateways.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1021/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p>Consider disabling Windows administrative shares.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1552">T1552</a> </td> <td> <a href="/versions/v15/techniques/T1552">Unsecured Credentials</a> </td> <td> <p>Limit network access to sensitive services, such as the Instance Metadata API.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1552/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1552/005">Cloud Instance Metadata API</a> </td> <td> <p>Limit access to the Instance Metadata API using a host-based firewall such as iptables.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1552/007">.007</a> </td> <td> <a href="/versions/v15/techniques/T1552/007">Container API</a> </td> <td> <p>Limit communications with the container service to managed and secured channels, such as local Unix sockets or remote access via SSH. Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021."data-reference="Docker Daemon Socket Protect"><sup><a href="https://docs.docker.com/engine/security/protect-access/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021."data-reference="Kubernetes API Control Access"><sup><a href="https://kubernetes.io/docs/concepts/security/controlling-access/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> In Kubernetes clusters deployed in cloud environments, use native cloud platform features to restrict the IP ranges that are permitted to access to API server.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023."data-reference="Kubernetes Cloud Native Security"><sup><a href="https://kubernetes.io/docs/concepts/security/overview/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> Where possible, consider enabling just-in-time (JIT) access to the Kubernetes API to place additional restrictions on access.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023."data-reference="Microsoft AKS Azure AD 2023"><sup><a href="https://learn.microsoft.com/en-us/azure/aks/managed-aad" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://docs.docker.com/engine/security/protect-access/" target="_blank"> Docker. (n.d.). Protect the Docker Daemon Socket. Retrieved March 29, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://kubernetes.io/docs/concepts/security/controlling-access/" target="_blank"> The Kubernetes Authors. (n.d.). Controlling Access to The Kubernetes API. Retrieved March 29, 2021. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://kubernetes.io/docs/concepts/security/overview/" target="_blank"> Kubernetes. (n.d.). Overview of Cloud Native Security. Retrieved March 8, 2023. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://learn.microsoft.com/en-us/azure/aks/managed-aad" target="_blank"> Microsoft. (2023, February 27). AKS-managed Azure Active Directory integration. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://technet.microsoft.com/en-us/library/cc731150.aspx" target="_blank"> Microsoft. (n.d.). Overview of Remote Desktop Gateway. Retrieved June 6, 2016. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://en.wikipedia.org/wiki/IEEE_802.1X" target="_blank"> Wikipedia. (2018, March 30). IEEE 802.1X. Retrieved April 11, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v15.1Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?7550"></script> <script src="/versions/v15/theme/scripts/settings.js?267"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script>  <script src="/versions/v15/theme/scripts/resizer.js"></script>  <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Limit Access to Resource Over Network, Mitigation M1035 - Enterprise | MITRE ATT&CK®