Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer will ensure the application does not rely solely on a resource name to control access to a resource.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16804 | APP3460 | SV-17804r1_rule | DCSQ-1 | High |
| Description |
|---|
| Application access control decisions should be based on authentication of users. Resource names alone can be spoofed allowing access control mechanisms to be bypassed giving immediate access to the application. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-17802r1_chk ) |
|---|
| Verify the application does not grant access solely based on a resource name (e.g., username, IP address, machine name). Also, verify a username with a blank password does not grant access to the application. 1) If authentication is granted based on a resource name only, it is a finding. |
| Fix Text (F-17087r1_fix) |
|---|
| Implement authentication on systems requiring access control. |