Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-62451 | CF11-04-000128 | SV-76941r1_rule | Medium |
Description |
---|
To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. ColdFusion is installed with a Root Administrator Account. This account is configured during the installation phase. This account should only be used for initial setup before user accounts are created and should not be used for day-to-day operations. When used as a group account, accountability, along with least privileges for the users, is lost. |
STIG | Date |
---|---|
Adobe ColdFusion 11 Security Technical Implementation Guide | 2015-11-02 |
Check Text ( C-63255r1_chk ) |
---|
Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. If there are no defined users, this is a finding. |
Fix Text (F-68371r1_fix) |
---|
Navigate to the "User Manager" page under the "Security" menu. Create users that need access to the Administrator Console providing only the roles necessary to perform each job function. |