The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6141	APP3480	SV-6141r1_rule	ECCD-2 ECLP-1 ECPA-1	High

Description
If access control mechanisms are not in place, anonymous users could potentially make unauthorized read and modification requests to the application data which is an immediate loss of the integrity of the data. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.

Description

If access control mechanisms are not in place, anonymous users could potentially make unauthorized read and modification requests to the application data which is an immediate loss of the integrity of the data. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-2955r1_chk )
Policy: The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel. The designer will ensure the access procedures enforce the principles of separation of duties and "least privilege." The IAO will ensure the access procedures enforce the principles of separation of duties and "least privilege." Ask the application representative if particular administrative and user functions can be restricted to certain roles. The objective is to ensure that the application prohibits combination of roles that represent an IA risk. In particular, inquire about separation of duties between the following: • Personnel that review and clear audit logs and personnel that perform non-audit administration. • Personnel that create, modify, and delete access control rules and personnel that perform either data entry or application programming. Some applications may only contain administrator access and no other access. For example, network appliances may have administrator only access. Web applications with no user authentication required are also considered to contain a single role, unless the web application provides administrative access to publish web server content. 1) If the application is designed specifically to only have one role, this check is not applicable. 2) If the application representative states that the application does not enforce separation of duties between the roles listed above, it is a finding. If the representative claims that the required separation exists, identify which software component is enforcing it. Evidence of enforcement can either involve the display of relevant security configuration settings or a demonstration using different user accounts, each assigned to a different role. 3) If the application representative cannot provide evidence of separation of duties, it is a finding. *Note: Web services are required to implement role-based access control.

Check Text ( C-2955r1_chk )

Policy:

The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel. The designer will ensure the access procedures enforce the principles of separation of duties and "least privilege." The IAO will ensure the access procedures enforce the principles of separation of duties and "least privilege."

Ask the application representative if particular administrative and user functions can be restricted to certain roles. The objective is to ensure that the application prohibits combination of roles that represent an IA risk. In particular, inquire about separation of duties between the following:

• Personnel that review and clear audit logs and personnel that perform non-audit administration.
• Personnel that create, modify, and delete access control rules and personnel that perform either data entry or application programming.

Some applications may only contain administrator access and no other access. For example, network appliances may have administrator only access. Web applications with no user authentication required are also considered to contain a single role, unless the web application provides administrative access to publish web server content.

1) If the application is designed specifically to only have one role, this check is not applicable.

2) If the application representative states that the application does not enforce separation of duties between the roles listed above, it is a finding.

If the representative claims that the required separation exists, identify which software component is enforcing it. Evidence of enforcement can either involve the display of relevant security configuration settings or a demonstration using different user accounts, each assigned to a different role.

3) If the application representative cannot provide evidence of separation of duties, it is a finding.

*Note: Web services are required to implement role-based access control.

Fix Text (F-17090r1_fix)
Implement access control mechanisms.