The application server must enforce logical access restrictions associated with changes to application configuration.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35219	SRG-APP-000128-AS-000087	SV-46506r1_rule		High

Description
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application server components for the purposes of initiating changes, including upgrades and application modifications. The application server must provide a control mechanism to restrict access to configuration capability. The controls can be specific to the application server, delegated to operating system controls, or a combination of both.

Description

When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to application server components for the purposes of initiating changes, including upgrades and application modifications. The application server must provide a control mechanism to restrict access to configuration capability. The controls can be specific to the application server, delegated to operating system controls, or a combination of both.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43591r1_chk )
Review the AS documentation and configuration to determine if the AS provides unique account roles specifically for the purposes of segmenting the responsibilities for managing the server and the applications installed on the AS. Log in to the server using an AS role with limited permissions (e.g., Auditor, Monitor, Deployer, Operator, etc.) and verify the account is not able to perform configuration changes that are not related to that role. If the AS does not enforce these access restrictions, this is a finding.

Check Text ( C-43591r1_chk )

Review the AS documentation and configuration to determine if the AS provides unique account roles specifically for the purposes of segmenting the responsibilities for managing the server and the applications installed on the AS. Log in to the server using an AS role with limited permissions (e.g., Auditor, Monitor, Deployer, Operator, etc.) and verify the account is not able to perform configuration changes that are not related to that role. If the AS does not enforce these access restrictions, this is a finding.

Fix Text (F-39765r1_fix)
Configure the AS to utilize specific roles that restrict access related to AS configuration changes.