Skip to main content
โ† All controls
AC-3 / SC-7(5) / CM-7 NIST SP 800-53 Rev 5

Default-deny posture

Demonstrate that network, system, and application access controls implement a default-deny policy model where all traffic and actions are blocked unless explicitly authorized by documented rules.

Description

What this control does

Default-deny posture establishes network, application, and system access control policies that implicitly block all traffic, connections, or actions unless explicitly permitted by rule. This approach inverts traditional permissive models by requiring administrators to affirmatively allow each necessary flow or behavior. The control reduces attack surface by preventing unauthorized lateral movement, data exfiltration, and exploitation of overlooked services or ports. Implementation spans firewall rulesets, zero-trust network policies, application whitelisting, and API gateway configurations.

Control objective

What auditing this proves

Demonstrate that network, system, and application access controls implement a default-deny policy model where all traffic and actions are blocked unless explicitly authorized by documented rules.

Associated risks

Risks this control addresses

  • Attackers exploit unmonitored or forgotten network pathways to move laterally across segmented environments
  • Malicious insiders exfiltrate data through undocumented or implicitly permitted outbound connections
  • Compromised workstations execute unauthorized applications or scripts that permissive policies fail to block
  • Shadow IT services operate on non-standard ports without security review or monitoring
  • Zero-day exploits traverse network segments due to overly permissive inter-VLAN or inter-subnet routing
  • API endpoints accept unauthenticated requests because authorization logic defaults to allow rather than deny
  • Legacy firewall rules accumulate over time, creating implicit allow conditions that bypass intended security architecture

Testing procedure

How an auditor verifies this control

  1. Obtain current firewall and network access control list (ACL) configurations from perimeter devices, internal routers, and cloud security groups
  2. Identify the implicit action defined when no explicit rule matches incoming traffic (examine default policy statements at the end of rulesets)
  3. Review application-layer gateway, web application firewall, and API gateway configurations to determine default behavior for unmatched requests
  4. Select a representative sample of user workstations and servers, then review host-based firewall policies and application control configurations
  5. Conduct live testing by attempting to establish network connections to non-production systems using uncommon ports and protocols not explicitly permitted
  6. Interview network and security engineers to confirm change management processes require explicit allow rules before new services are deployed
  7. Review firewall rule justification documentation to verify each permit statement corresponds to a documented business or operational requirement
  8. Validate that logging captures all denied traffic and that security operations regularly review blocked connection attempts
Evidence required Firewall configuration exports showing final default-deny rule statements, security group policy definitions with implicit deny settings, and application control policy exports demonstrating whitelist-only execution modes. Network traffic logs showing blocked connection attempts, change request records documenting approval for new permit rules, and screenshots of API gateway or web application firewall consoles displaying default-deny enforcement. Interview notes from infrastructure teams confirming operational procedures for rule creation and periodic review.
Pass criteria All examined network devices, security groups, host firewalls, and application gateways enforce an explicit default-deny policy as the terminal rule, with no evidence of implicit permit behavior for unmatched traffic or requests.

Where this control is tested

Audit programs including this control

Firewall Rule Hygiene

Are your firewall rules documented, reviewed and free of any-any? A 7-question hygiene audit for perimeter + segmentation…

7 controls ยท v1.0