UCF STIG Viewer Logo

The designer will ensure the application protects access to authentication data by restricting access to authorized users and services.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16798 APP3360 SV-17798r1_rule ECCD-1 Medium
Description
If authentication is not properly restricted using access controls list, unauthorized users of the server where the authentication data is stored may be able to use the authentication data to access unauthorized servers or services.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17794r1_chk )
Identification and authentication information must be protected by appropriate file permissions. Only administrators and the application or OS process that access the information should have any permissions to access identification and authentication information. In many cases, local backups of the accounts database exist so these must be included in the scope of the review.

1) If non-privileged users have the permission to read or write password files, other than resetting their own password, this is a CAT II finding.

2) If non-privileged users can read user information (e.g., list users but not passwords), this is a CAT III finding.
Fix Text (F-17027r1_fix)
Restrict access to authentication data.