UCF STIG Viewer Logo

Application Server Security Requirements Guide


Overview

Date Finding Count (307)
2013-01-08 CAT I (High): 16 CAT II (Med): 244 CAT III (Low): 47
STIG Description
The Application Server Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-35328 High The application server must obscure display of authentication information during the authentication process.
V-35324 High The application server, when using PKI-based authentication, must restrict keystore access to authorized users.
V-35219 High The application server must enforce logical access restrictions associated with changes to application configuration.
V-35338 High The application server must use DoD or CNS approved PKI Class 3 or Class 4 certificates.
V-35303 High The application server must use CAC based authentication mechanisms for network access to privileged accounts.
V-35302 High The application server must authenticate users individually prior to using a group authenticator.
V-35304 High The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
V-35306 High The application server must mutually authenticate web services-based devices when establishing a connection.
V-35081 High The application server must specify administrative users and grant them the sole right to change application security attributes pertaining to application server configuration.
V-35299 High The application server must uniquely identify and authenticate users (or processes acting on behalf of users).
V-35226 High The application server must enforce requirements for remote connections to the information system.
V-35317 High The application server must encrypt stored passwords.
V-35318 High The application server must encrypt passwords during transmission.
V-35319 High The application server must utilize encryption when using LDAP for authentication.
V-35738 High The application server must enforce approved authorizations for logical access.
V-35343 High The application server must employ NSA-approved cryptography to protect classified information.
V-35125 Medium Applications providing malicious code protection must support organizational requirements to address the receipt of false positives during malicious code detection, eradication efforts, and the resulting potential impact on the availability of the information system.
V-35127 Medium The application server must verify digital signatures on software components and applications in process.
V-35120 Medium For those instances where the organization requires encrypted traffic to be visible to information system monitoring tools, the application transmitting the encrypted traffic must make provisions to allow that traffic to be visible to specific system monitoring tool.
V-35123 Medium Intrusion detection software must be able to interconnect using standard protocols to create a system-wide intrusion detection system.
V-35684 Medium The application must prevent non-privileged users from circumventing malicious code protection capabilities.
V-35685 Medium Malicious code protection applications must update malicious code protection mechanisms only when directed by a privileged user.
V-35325 Medium The application server must ensure that PKI-based authentication maps the authenticated identity to the user account.
V-35129 Medium The application server must ensure remote sessions for accessing security functions and security-relevant information are audited.
V-35128 Medium Applications providing malicious code protection must support organizational requirements to be configured to perform organization defined action(s) in response to malicious code detection.
V-35321 Medium The application server must enforce password maximum lifetime restrictions.
V-35452 Medium The application server management interface must ensure that users can directly initiate session lock mechanisms which prevent further access to the system.
V-35604 Medium Applications related to incident tracking must support organizational requirements to employ automated mechanisms to assist in the tracking of security incidents
V-35605 Medium Applications used for non-local maintenance sessions must protect those sessions through the use of a strong authenticator tightly bound to the user.
V-35606 Medium Applications employed to write data to portable digital media must use cryptographic mechanisms to protect and restrict access to information on portable digital media.
V-35607 Medium Application software used to detect the presence of unauthorized software must employ automated detection mechanisms and notify designated organizational officials in accordance with the organization defined frequency.
V-35600 Medium Applications managing network connections for devices must authenticate devices before establishing wireless network connections by using bidirectional authentication that are cryptographic.
V-35601 Medium Applications managing network connectivity must have the capability to authenticate devices before establishing network connections by using bidirectional authentication that are cryptographic.
V-35602 Medium The application server must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-35603 Medium Applications that are designed and intended to address incident response scenarios must provide a configurable capability to automatically disable an information system if any of the organization defined security violations are detected.
V-35428 Medium The application server must isolate security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) controlling access to, and protecting the integrity of software.
V-35608 Medium Applications involved in the production, control, and distribution of symmetric cryptographic keys must use NIST-approved or NSA-approved key management technology and processes.
V-35609 Medium Applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material.
V-35689 Medium Applications scanning for malicious code must support organizational requirements to configure malicious code protection mechanisms to perform periodic scans of the information system on an organization defined frequency.
V-35595 Medium The application server must use multifactor authentication for network access to non-privileged accounts.
V-35596 Medium The application server must use multifactor authentication for local access to non-privileged accounts.
V-35590 Medium Backup/Disaster Recovery-oriented applications must be capable of backing up user-level information per a defined frequency.
V-35329 Medium The Application Server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
V-35593 Medium The application must support and must not impede organizational requirements to conduct backups of information system documentation, including security-related documentation, per organization defined frequency.
V-35598 Medium Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access.
V-35599 Medium Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access.
V-35213 Medium The application server must protect audit tools from unauthorized access.
V-35217 Medium The application server must protect audit data records and integrity by using cryptographic mechanisms.
V-35195 Medium The application server must provide an audit reduction capability.
V-35196 Medium The application server must provide a report generation capability for audit reduction data.
V-35214 Medium The application server must protect audit tools from unauthorized modification.
V-35199 Medium The application server must automatically process audit records for events of interest based upon selectable, event criteria.
V-35218 Medium The application server must protect the audit records generated as a result of remote accesses to privileged accounts and the execution of privileged functions.
V-35444 Medium The application server must provide system notifications to a list of response personnel who are identified by name and/or role.
V-35686 Medium The application server must provide notification of failed automated security tests.
V-35448 Medium The application server must notify appropriate individuals when account disabling actions are taken.
V-35687 Medium Applications providing malicious code protection must support organizational requirements to update malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration.
V-35135 Medium The application server must protect against an individual falsely denying having performed a particular action.
V-35334 Medium The application server must employ cryptographic mechanisms to protect information in storage.
V-35138 Medium The application server must validate the binding of the information producers identity to the information.
V-35330 Medium The Application Server must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-35331 Medium The application server must employ cryptographic encryption to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
V-35332 Medium The application server must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions
V-35322 Medium The application server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor
V-35529 Medium The application server, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms.
V-35630 Medium The application must perform data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service
V-35633 Medium Applications must preserve any organization defined system state information in the event of a system failure.
V-35632 Medium Applications that collectively provide name/address resolution service for an organization must implement internal/external role separation.
V-35453 Medium The application server must have the ability to retain a session lock remaining in effect until the user re-authenticates using established identification and authentication procedures.
V-35636 Medium The application server must disable network access by unauthorized components/devices or notify designated organizational officials.
V-35639 Medium Only a Honey Pot information system and/or application must include components that proactively seek to identify web-based malicious code. Honey Pot systems must not be shared or used for any purpose other than described.
V-35333 Medium The application server must terminate all sessions and network connections when non-local maintenance is completed.
V-35320 Medium The application server must enforce password minimum lifetime restrictions.
V-35680 Medium The application server must provide automated support for the management of distributed security testing.
V-35451 Medium The application server must initiate a session lock after an organization defined time period of system or application inactivity has transpired.
V-35627 Medium The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-35681 Medium Applications providing patch management capabilities must support the organizational requirements to install software updates automatically.
V-35309 Medium The application server must disable device accounts after an organization defined time period of inactivity.
V-35308 Medium The application server must dynamically manage identifiers, attributes, and associated access authorizations.
V-35534 Medium Applications must prohibit the transfer of unsanctioned information in accordance with security policy.
V-35535 Medium The application server must enforce security policies regarding information on interconnected systems.
V-35532 Medium Applications, when transferring information between different security domains, must implement or incorporate policy filters that constrain data object and structure attributes according to organizational security policy requirements.
V-35533 Medium The application server must detect unsanctioned information being transmitted across security domains.
V-35736 Medium The application server must automatically monitor on atypical usage of accounts.
V-35737 Medium Service Oriented Architecture (SOA) components of the application server must dynamically manage user privileges and associated access authorizations.
V-35301 Medium The application server must use CAC based authentication mechanisms for local access to privileged accounts.
V-35300 Medium The application server must use multifactor authentication for network access to privileged accounts.
V-35450 Medium The application server management interface must ensure that the screen display is obfuscated when an application session lock event occurs.
V-35307 Medium Applications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographic.
V-35381 Medium The application server must ensure authentication of both client and server during the entire session.
V-35628 Medium The application must perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
V-35437 Medium The application server must fail securely in the event of an operational failure.
V-35436 Medium The application server must check the validity of data inputs.
V-35435 Medium The application server must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
V-35434 Medium The application server must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
V-35344 Medium The application server must utilize FIPS validated cryptography when protecting unclassified compartmentalized data.
V-35088 Medium The application server must allow authorized users to associate PKI credentials with information.
V-35683 Medium The application must automatically update malicious code protection mechanisms, including signature definitions. Examples include anti-virus signatures and malware data files employed to identify and/or block malicious software from executing.
V-35234 Medium The application server must adhere to the principles of least functionality by providing only essential capabilities.
V-35236 Medium The application server must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-35542 Medium The application server must bind security attributes to information to facilitate information flow policy enforcement.
V-35540 Medium The application server must uniquely identify destination domains for information transfer.
V-35546 Medium The application server must enforce information flow control using protected processing domains (e.g., domain type enforcement) as a basis for flow control decisions.
V-35544 Medium The application server must track problems associated with the binding of security attributes to data.
V-35257 Medium The application server must back up application server configuration data on an automated basis.
V-35549 Medium The application server must enforce information flow using dynamic control, based on policy that allows or disallows information flow based on changing conditions or operational considerations.
V-35254 Medium The application server must conduct automated backups of application-level information contained in the application server.
V-35423 Medium The application server must be configured to perform complete application deployments.
V-35569 Medium The application server must validate the binding of the reviewers identity to the information at the transfer/release point prior to transfer/release from one security domain to another security domain.
V-35659 Medium Applications functioning in the capacity of a firewall must check incoming communications to ensure the communications are coming from an authorized source and are routed to an authorized destination.
V-35429 Medium The application server must automatically terminate emergency accounts after a DoD-defined time period.
V-35424 Medium The application server must provide a clustering capability.
V-35425 Medium The application server must protect the confidentiality of applications and leverage transmission protection mechanisms such as TLS and SSL VPN when deploying applications.
V-35426 Medium The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of application server log data.
V-35427 Medium The application server must employ cryptographic mechanisms to protect data at rest.
V-35657 Medium The application server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-35654 Medium The application server must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
V-35118 Medium Applications providing malware and/or firewall protection must monitor inbound and outbound communications for unauthorized activities or conditions.
V-35368 Medium The application server must validate the integrity of security attributes exchanged between systems.
V-35577 Medium The application server must have the capability to produce audit records on hardware-enforced, write-once media.
V-35371 Medium The application server, when hosting mobile applet code must be configured to host only digitally signed mobile code.
V-35449 Medium The application server must notify appropriate individuals when accounts are terminated.
V-35114 Medium Applications providing intrusion and prevention capabilities must prevent non-privileged users from circumventing those capabilities.
V-35498 Medium Applications providing information flow control must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy.
V-35222 Medium The application server must employ automated mechanisms for the auditing of enforcement actions.
V-35223 Medium The application server must validate the digital signature of signed web service messages.
V-35220 Medium The application server must employ automated mechanisms for enforcing access restrictions.
V-35221 Medium The application server must automatically record an event in the device audit log each time the server is started.
V-35224 Medium The application server must limit privileges to change the software resident within software libraries (including privileged programs).
V-35225 Medium The application server must automatically implement safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
V-35552 Medium Application servers must prevent encrypted data from bypassing content-checking mechanisms.
V-35554 Medium Application servers must enforce organization defined limitations on the embedding of data types within other data types.
V-35556 Medium Application servers must enforce information flow control on metadata.
V-35537 Medium The application server must uniquely identify source domains for information transfer.
V-35559 Medium The application server must use security policy filters as a basis for making information flow control decisions.
V-35112 Medium Applications providing notifications regarding suspicious events must include the capability to notify an organization defined list of response personnel who are identified by name and/or role.
V-35716 Medium The application server must provide automated mechanisms for user account management.
V-35419 Medium The application server management interface must provide a logout functionality to allow the user to manually terminate the session.
V-35649 Medium Applications must support organization defined requirements to load and execute from hardware-enforced, read-only media.
V-35733 Medium The application server must automatically audit account modification.
V-35652 Medium The application server must not share resources used to interface with systems operating at different security levels.
V-35734 Medium The application server must automatically audit account disabling actions and notify appropriate individuals.
V-35643 Medium The application server must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
V-35415 Medium The application server must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.
V-35645 Medium Applications required to be non-modifiable must support organizational requirements to provide components that contain no writable storage capability. These components must be persistent across restart and/or power on/off.
V-35647 Medium Applications must, for organization defined information system components, load and execute the operating environment from hardware-enforced, read-only media.
V-35742 Medium The Application Server must implement separation of duties by requiring administrative duties to be divided into distinct roles
V-35499 Medium The application must enforce approved authorizations for controlling the flow of information between interconnected systems.
V-35438 Medium The application server must employ approved cryptographic mechanisms when transmitting sensitive data.
V-35478 Medium The application server must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions
V-35316 Medium The application server must enforce the number of characters that get changed when passwords are changed.
V-35314 Medium The application server must enforce password complexity by the number of numeric characters used.
V-35315 Medium The application server must enforce password complexity by the number of special characters used.
V-35099 Medium The application must prevent the execution of prohibited mobile code.
V-35310 Medium The application server must enforce minimum password length.
V-35311 Medium The application server must prohibit password reuse for the organization defined number of generations.
V-35094 Medium The application server must support the capability to disable network protocols deemed by the organization to be nonsecure except for explicitly identified components in support of specific operational requirements.
V-35618 Medium Applications, when operating as part of a distributed, hierarchical namespace, must provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among p
V-35091 Medium The application server must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-35090 Medium The application server must use cryptography to protect the integrity of the remote access session.
V-35216 Medium The application server must back up audit data and records on an organization defined frequency onto a different system or media than the system the application server itself is running on.
V-35674 Medium Applications performing extrusion detection must be capable of denying network traffic and auditing internal users (or malicious code) posing a threat to external information systems.
V-35676 Medium Applications that serve to protect organizations and individuals from spam messages must incorporate update mechanisms updating protection mechanisms and signature definitions when new application releases are available, in accordance with organizational
V-35671 Medium Proxy applications must support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses.
V-35215 Medium The application server must protect audit tools from unauthorized deletion.
V-35108 Medium The application must protect information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.
V-35305 Medium Applications using multifactor authentication when accessing non-privileged accounts via the network must utilize replay resistant authentication.
V-35567 Medium The application server must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
V-35679 Medium Applications utilized for integrity verification must detect unauthorized changes to software and information.
V-35678 Medium Applications that are utilized to address the issue of spam and provide protection from spam must automatically update any and all spam protection measures including signature definitions.
V-35562 Medium The application server must uniquely authenticate destination domains when transferring information.
V-35584 Medium Configuration management applications must employ automated mechanisms to centrally verify configuration settings.
V-35073 Medium The application server must maintain and support the use of digital signatures on software components and applications in storage.
V-35768 Medium The application server must enforce the organization defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-35766 Medium The application server must limit the number of failed login attempts to an organization defined number of consecutive invalid attempts that occur within an organization defined time period.
V-35539 Medium The application server must uniquely authenticate source domains for information transfer.
V-35342 Medium The application server must employ FIPS-validated cryptography to protect unclassified information.
V-35312 Medium The application server must enforce password complexity by the number of upper case characters used.
V-35079 Medium The application server must bind digital signatures to software components and applications in process.
V-35484 Medium The application must enforce Discretionary Access Control (DAC) policy allowing users to specify and control sharing by named individuals, groups of individuals, or by both, limiting propagation of access rights, and including or excluding access to the g
V-35482 Medium The application server must employ automated mechanisms enabling authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.
V-35483 Medium The application server must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands.
V-35480 Medium The application server must monitor for unauthorized connections of mobile devices to organizational information systems.
V-35481 Medium Applications must not enable information system functionality providing the capability for automatic execution of code on mobile devices without user direction.
V-35361 Medium The application server must associate security attributes with information exchanged between information systems.
V-35089 Medium The application server must utilize cryptography to protect the confidentiality of remote access management sessions.
V-35313 Medium The application server must enforce password complexity by the number of lower case characters used.
V-35082 Medium The application server must maintain the binding of security attributes to information with sufficient assurance that the information/attribute association can be used as the basis for automated policy actions.
V-35080 Medium The application server must support and maintain the binding of digital signatures on information in transmission.
V-35662 Medium Boundary protection applications must prevent discovery of specific system components (or devices) composing a managed interface.
V-35663 Medium The application server must employ automated mechanisms to enforce strict adherence to protocol format.
V-35578 Medium The application server must support the enforcement of a two-person rule for changes to organization defined application components and system-level information.
V-35661 Medium The application must be capable of implementing host-based boundary protection mechanisms for servers, workstations, and mobile devices.
V-35477 Medium The application server must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined.
V-35667 Medium Any software application designed to function as a firewall must be capable of employing a default deny all configuration.
V-35664 Medium Boundary protection applications must be capable of preventing public access into the organizations internal networks except as appropriately mediated by managed interfaces.
V-35572 Medium The application must enforce configurable traffic volume thresholds representing auditing capacity for network traffic.
V-35479 Medium The application server must monitor for unauthorized remote connections to the information system on an organization defined frequency.
V-35571 Medium The application server must include organization defined additional, detailed information in the audit records for audit events identified by type, location, or subject.
V-35576 Medium The application server must invoke a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
V-35721 Medium The application server must provide a mechanism to automatically terminate accounts designated as being temporary or emergency after an organization defined time period.
V-35575 Medium The application server must reject or delay, as defined by the organization, network traffic generated above configurable traffic volume thresholds.
V-35727 Medium The application server must automatically audit account creation.
V-35103 Medium Applications utilizing Discretionary Access Control (DAC) must enforce a policy that limits propagation of access rights.
V-35109 Medium The application server must take an organization defined list of least-disruptive actions to terminate suspicious events.
V-35778 Medium Applications providing malicious code protection must support organizational requirements to configure malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed.
V-35775 Medium The application must prevent unauthorized and unintended information transfer via shared system resources.
V-35774 Medium The application server must prevent the presentation of information system management-related functionality at an interface utilized by general (i.e., non-privileged) users.
V-35136 Medium The application server must associate the identity of the information producer with the information.
V-35107 Medium The application must either implement compensating security controls or the organization explicitly accepts the risk of not performing the verification as required.
V-35101 Medium The application server must enforce an access control policy that includes or excludes access to application objects to the granularity of a single user.
V-35104 Medium Mobile code applications must be developed in accordance with DoD-defined mobile code requirements.
V-35443 Medium The application server must directly employ or allow the utilization of automated patch management tools to facilitate flaw remediation.
V-35770 Medium The Application Server must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization defined time period or until the account is unlocked by an administrator.
V-35669 Medium Applications providing remote connectivity must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communications path with resources in external networks.
V-35724 Medium The application server must automatically disable accounts after an organization defined period of account inactivity.
V-35503 Medium The application server must identify data type, specification, and usage when transferring information between different security domains
V-35641 Medium The application server must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
V-35431 Medium The application server must provide automated mechanisms that can be used to alert security personnel of inappropriate or unusual activities with security implications.
V-35376 Medium The application server must separate hosted application functionality from AS management functionality.
V-35564 Medium Applications scanning for malicious code must scan all media used for system maintenance prior to use.
V-35739 Medium The Application Server must enforce non-discretionary access control policies over users and resources.
V-35430 Medium The application server must implement an application isolation boundary.
V-35336 Medium The application server must establish a trusted communications path between the user and organization defined security functions within the information system.
V-35337 Medium Application servers must use NIST-approved or NSA-approved key management technology and processes.
V-35440 Medium The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
V-35446 Medium The application server must notify administrators when accounts are created.
V-35502 Medium Application servers providing information flow controls must provide the capability for privileged administrators to configure security policy filters to support different organizational security policies.
V-35447 Medium The application server must notify appropriate individuals when accounts are modified.
V-35617 Medium The application must provide additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
V-35616 Medium Applications designed to enforce policy pertaining to the use of mobile code must prevent the automatic execution of mobile code in organization defined software applications and require organization defined actions prior to executing the code.
V-35615 Medium Applications designed to enforce policy pertaining to organizational use of mobile code must prevent the download and execution of prohibited mobile code.
V-35614 Medium Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must take corrective actions, when unauthorized mobile code is identified.
V-35613 Medium Applications designed to address malware issues and/or enforce policy pertaining to organizational use of mobile code must implement detection and inspection mechanisms to identify unauthorized mobile code
V-35612 Medium Applications must support organizational requirements to issue public key certificates under an appropriate certificate policy or obtain public key certificates under an appropriate certificate policy from an approved service provider.
V-35611 Medium Software and/or firmware used for collaborative computing devices must prohibit remote activation, excluding the organization defined exceptions where remote activation is to be allowed.
V-35610 Medium Applications must respond to security function anomalies in accordance with organization defined responses and alternative action(s).
V-35741 Medium The application server must track problems associated with information transfer.
V-35740 Medium The Application Server must prevent access to organization defined security-relevant information except during secure, non-operable system states.
V-35743 Medium The Application Server must provide a separate, distinct administrative account when accessing AS security functions or security relevant information.
V-35445 Medium The application server must use cryptographic mechanisms to protect the integrity of the application server audit tools.
V-35745 Medium The application server must be able to function within separate processing domains (virtualized systems).
V-35744 Medium The Application Server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
V-35116 Medium The application server must allocate online audit record storage capacity for an organization defined number of continuous days of operation.
V-35500 Medium The application server must use explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
V-35586 Medium Configuration management applications must employ automated mechanisms to centrally respond to unauthorized changes to configuration settings.
V-35441 Medium The application server must restrict error messages so only authorized personnel may view them.
V-35092 Medium The application server must route all remote management access through a centrally managed access control point.
V-35582 Medium Configuration management applications must employ automated mechanisms to centrally apply configuration settings.
V-35580 Medium Configuration management applications must employ automated mechanisms to centrally manage configuration settings.
V-35501 Medium Applications providing information flow control must provide the capability for privileged administrators to enable/disable security policy filters.
V-35682 Medium Applications serving to determine the state of information system components with regard to flaw remediation (patching) must use automated mechanisms to make that determination. The automation schedule must be determined on an organization defined basis.
V-35588 Medium Configuration management solutions must track unauthorized, security-relevant configuration changes.
V-35183 Medium The application server must provide the ability to write specified audit record content to an audit log server.
V-35182 Medium The application server must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-35070 Medium The application server must define the maximum number of concurrent sessions for an application account globally, by account type, by account, or a combination thereof.
V-35117 Medium Applications that detect and alarm on security events such as intrusion detection, firewalls, anti-virus, or malware must provide near real-time alert notification.
V-35347 Medium The application server must protect the integrity and availability of publicly available information and applications.
V-35341 Medium The application server must utilize NSA-approved cryptography when protecting classified compartmentalized data.
V-35634 Medium The application server must enforce requirements regarding the connection of mobile devices to organizational information systems.
V-35121 Low The application server management interface, upon successful logon, must display to the user the date and time of the last logon (access).
V-35439 Low The application server must identify potentially security-relevant error conditions.
V-35212 Low The application server must protect audit information from unauthorized deletion.
V-35192 Low The application server must integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
V-35193 Low Application Servers must centralize the review and analysis of audit records from multiple components within the system.
V-35132 Low The application server must notify the user of the number of successful logins/accesses occurring during an organization defined time period.
V-35133 Low The application server must notify the user of the number of unsuccessful login/access attempts occurring during an organization defined time period.
V-35134 Low The application server must notify users of organization defined security-related changes to the users account occurring during the organization defined time period.
V-35335 Low The application server must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.
V-35139 Low The application server must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization defined level of tolerance.
V-35161 Low The application server must produce audit records containing sufficient information to establish what type of JVM related events and severity levels occurred.
V-35203 Low The application server must use internal system clocks to generate time stamps for audit records.
V-35204 Low The application server must synchronize with internal information system clocks which, in turn, are synchronized on an organization defined frequency with an organization defined authoritative time source.
V-35205 Low The application server must protect audit information from any type of unauthorized read access.
V-35143 Low The application server must generate audit records for the DoD-selected list of auditable events.
V-35142 Low The application server must provide a user role which designates which organizational personnel select auditable events.
V-35140 Low The application server must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
V-35432 Low The application server must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.
V-35141 Low The application server must provide audit record generation capability for defined auditable events.
V-35148 Low The application server must initiate session auditing upon start up.
V-35238 Low The application server must utilize automated mechanisms to prevent program execution on the information system.
V-35102 Low The application server must display an approved system use notification message or banner before granting access to the system.
V-35157 Low The application server must be configured to remotely view all content related to an established administrative user session in real time.
V-35150 Low The application server must capture, record, and log all content related to an administrative user session.
V-35159 Low The application server must produce application server process events and severity levels to establish what type of HTTPD related events and severity levels occurred.
V-35422 Low The application server must generate unique session identifiers with organization defined randomness requirements.
V-35241 Low The application server must implement transaction recovery for transaction-based processes.
V-35163 Low The application server must produce process events and security levels to establish what type of AS process events and severity levels occurred.
V-35165 Low The application server must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-35167 Low The application server must produce audit records containing sufficient information to establish where the events occurred.
V-35190 Low The application server must be configured to log the audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
V-35191 Low The application server must be configured to fail over to another system in the event of audit subsystem failure.
V-35420 Low The application server must generate a unique session identifier for each session.
V-35421 Low The application server must recognize only system-generated session identifiers.
V-35098 Low The application server management interface must retain the system use notification message or banner on the screen until users take explicit actions to logon for further access.
V-35735 Low The application server must automatically audit account termination and notify appropriate individuals.
V-35176 Low The application server must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.
V-35096 Low The application server management interface must display an approved system use notification message or banner before granting access to the system.
V-35131 Low In order to inform administrators of failed login attempts made to the administrators account, the application server management interface, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
V-35105 Low The application server must configure auditing to reduce the likelihood of storage capacity being exceeded.
V-35442 Low The application server must activate an alarm or automatically shut down the application server instance if an application component failure is detected.
V-35170 Low The application server must produce audit records containing sufficient information to establish the sources of the events.
V-35772 Low The application server must protect audit information from unauthorized modification.
V-35186 Low The application server must alert designated individual organizational officials in the event of an audit processing failure.
V-35185 Low The application server must provide a real-time alert when organization defined audit failure events occur.
V-35184 Low The application server must provide a warning when allocated audit record storage volume reaches an organization defined percentage of maximum audit record storage capacity.
V-35188 Low The application server must notify administrative personnel as a group in the event of audit processing failure.