ColdFusion must limit concurrent sessions to the Administrator Console.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62075	CF11-01-000001	SV-76565r1_rule		Low

Description
The ColdFusion Administrator Console is used to manage the ColdFusion application server. The console allows a user to configure settings used by hosted applications, maintain connections to external resources, review logs, etc. By disallowing concurrent logons, a user has a method to determine if his account has been comprised (The user will be unable to log into the Administrator Console.) and deters a user from having an open idle session from different work stations which can also be used by an attacker.

Description

The ColdFusion Administrator Console is used to manage the ColdFusion application server. The console allows a user to configure settings used by hosted applications, maintain connections to external resources, review logs, etc. By disallowing concurrent logons, a user has a method to determine if his account has been comprised (The user will be unable to log into the Administrator Console.) and deters a user from having an open idle session from different work stations which can also be used by an attacker.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-62879r2_chk )
Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. If the setting "Allow concurrent login sessions for Administrator Console" is checked, this is a finding.

Fix Text (F-67995r1_fix)
Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. To disable concurrent logins, uncheck the "Allow concurrent login sessions for Administrator Console" setting and select the "Submit Changes" button.