Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer will ensure the application protects access to authentication data by restricting access to authorized users and services.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16798 | APP3360 | SV-17798r1_rule | ECCD-1 | Medium |
| Description |
|---|
| If authentication is not properly restricted using access controls list, unauthorized users of the server where the authentication data is stored may be able to use the authentication data to access unauthorized servers or services. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-17794r1_chk ) |
|---|
| Identification and authentication information must be protected by appropriate file permissions. Only administrators and the application or OS process that access the information should have any permissions to access identification and authentication information. In many cases, local backups of the accounts database exist so these must be included in the scope of the review. 1) If non-privileged users have the permission to read or write password files, other than resetting their own password, this is a CAT II finding. 2) If non-privileged users can read user information (e.g., list users but not passwords), this is a CAT III finding. |
| Fix Text (F-17027r1_fix) |
|---|
| Restrict access to authentication data. |