UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must require each user to authenticate with a unique account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62367 CF11-02-000031 SV-76857r1_rule Medium
Description
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Enforcing non-repudiation of actions requires that each user be uniquely identified. Without this identification, events cannot be traced to a particular user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur. By forcing each user to authenticate using a unique account, each auditable event can be tied to a user, and a sequence of events for the user can be determined. This is critical when investigating an issue or an attack.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-06-15

Details

Check Text ( C-63171r1_chk )
Review the users within the "User Manager" page under the "Security" menu.

If users are not defined, this is a finding.
Fix Text (F-68287r1_fix)
Create user accounts within the "User Manager" page under the "Security" menu for those users that need access to the Administrator Console.