For authenticated, proxied connections, the ALG must use multifactor authentication for network access to non-privileged accounts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000140-ALG-000094 | SRG-NET-000140-ALG-000094 | SRG-NET-000140-ALG-000094_rule | Medium |
| Description |
|---|
| To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Factors include: 1) Something you know (e.g., password/PIN), 2) Something you have (e.g., cryptographic, identification device, token), and 3) Something you are (e.g., biometric) Non-privileged accounts are not authorized on the network element regardless of configuration. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection. The DoD CAC with DoD-approved PKI is an example of multifactor authentication. This requirement applies to ALGs that provide user authentication proxy services. |
| STIG | Date |
|---|---|
| Application Layer Gateway Security Requirements Guide | 2014-06-27 |
Details
| Check Text ( C-SRG-NET-000140-ALG-000094_chk ) |
|---|
| If the ALG does not provide user authentication proxy services, this is not a finding. Verify the ALG is configured to use multifactor authentication for network access to non-privileged accounts. If the ALG does not use multifactor authentication for network access to non-privileged accounts, this is a finding. |
| Fix Text (F-SRG-NET-000140-ALG-000094_fix) |
|---|
| Configure the ALG to use multifactor authentication for network access to non-privileged accounts. |