ColdFusion must require a username and password for access by each authorized user access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62365	CF11-02-000030	SV-76855r1_rule		High

Description
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Enforcing non-repudiation of actions requires that each user be identified. Without this identification, events cannot be traced to a user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur. By forcing users to authenticate, each auditable event can be tied to a user, and a sequence of events for the user can be determined. This is critical when investigating an issue or an attack.

Description

Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Enforcing non-repudiation of actions requires that each user be identified. Without this identification, events cannot be traced to a user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur. By forcing users to authenticate, each auditable event can be tied to a user, and a sequence of events for the user can be determined. This is critical when investigating an issue or an attack.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-06-15

Details

Check Text ( C-63169r1_chk )
Access the "Administrator" page under the "Security" menu within the Administrator Console. If the "Separate user name and password authentication" is not selected, this is a finding.

Fix Text (F-68285r1_fix)
Access the "Administrator" page under the "Security" menu within the Administrator Console. Select "Separate user name and password authentication" and select the "Submit Changes" button.