Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6154 | APP3470 | SV-6154r1_rule | ECLP-1 ECPA-1 | Medium |
Description |
---|
Without a least privilege policy, a user can gain access to information that he or she is not entitled to and can compromise confidentiality, integrity, and availability of the system. Also, minimizing privileges reduces the risk associated with hijacked accounts. Role based accounts can separate administrative and non-administrative rights in different roles. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2013-07-16 |
Check Text ( C-3033r1_chk ) |
---|
Policy: The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions. The IAO will ensure access to privileged accounts is limited to privileged users. The IAO will ensure non-privileged accounts are limited to non-privileged users. The IAO will ensure the application account is established and administered in accordance with a role based access scheme to enforce least privilege and separation of duties. Check: Log on as an unprivileged user. Examine the user interfaces (such as, graphical, web, and command line) to determine if any administrative functions are available. Privileged functions include the following: • Create, modify, and delete user accounts and groups • Grant, modify, and remove file or database permissions • Configure password and account lockout policy • Configure policy regarding the number and length of sessions • Change passwords or certificates of users other than oneself • Determine how the application will respond to error conditions • Determine auditable events and related parameters • Establish log sizes, fill thresholds, and fill behavior (i.e., what happens when the log is full) Some applications may only contain administrator access and no other access. For example, network appliances may have administrator only access. Web applications with no user authentication required are also considered to contain a single role, unless the web application provides administrative access to publish web server content. 1) If the application is designed specifically to only have one role, this check is not applicable. 2) If non-privileged users have the ability to perform any of the functions listed above, it is a finding. Finding details should specify which of the functions are not restricted to privileged users. Work closely with the application SA before testing any administrative changes to ensure local change management procedures are followed. Immediately back out of any changes that occur during testing. Review administrative rights assignments in all application components, including the database software and operating system. On Windows systems, review each of the User Rights to determine which users and groups are given more than default capabilities. User Rights can be viewed by using DumpSec, then selecting Reports, Dump Rights. 3) If privileged rights are granted to non-privileged users, it is a finding. *Note: Web services are required to separate functionality by roles. |
Fix Text (F-17088r1_fix) |
---|
Modify the application to be organized by functionality and roles to support the assignment of specific roles to specific application functions. Assign privileged accounts only to privileged users. Assign non-privileged accounts only to non-privileged users. Establish and administer accounts in accordance with a role based access scheme to enforce least privilege, and separation of duties. |