ColdFusion must authenticate users individually.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62451	CF11-04-000128	SV-76941r1_rule		Medium

Description
To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. ColdFusion is installed with a Root Administrator Account. This account is configured during the installation phase. This account should only be used for initial setup before user accounts are created and should not be used for day-to-day operations. When used as a group account, accountability, along with least privileges for the users, is lost.

Description

To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. ColdFusion is installed with a Root Administrator Account. This account is configured during the installation phase. This account should only be used for initial setup before user accounts are created and should not be used for day-to-day operations. When used as a group account, accountability, along with least privileges for the users, is lost.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-06-15

Details

Check Text ( C-63255r1_chk )
Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. If there are no defined users, this is a finding.

Fix Text (F-68371r1_fix)
Navigate to the "User Manager" page under the "Security" menu. Create users that need access to the Administrator Console providing only the roles necessary to perform each job function.