The application server must use CAC based authentication mechanisms for network access to privileged accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35303	SRG-APP-000156-AS-000105	SV-46590r1_rule		High

Description
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols that use nonce's (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS-Security), time-synchronous or challenge-response one-time authenticators and CAC's. Application servers typically provide management access via a web server-based interface or via command line scripted access. As such, the application server must take the necessary steps to ensure the authentication mechanisms built into the application server do not allow for replay based attacks that could compromise privileged accounts. CAC authentication meets these requirements.

Description

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols that use nonce's (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS-Security), time-synchronous or challenge-response one-time authenticators and CAC's. Application servers typically provide management access via a web server-based interface or via command line scripted access. As such, the application server must take the necessary steps to ensure the authentication mechanisms built into the application server do not allow for replay based attacks that could compromise privileged accounts. CAC authentication meets these requirements.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43672r1_chk )
Review AS documentation and configuration to ensure the AS is configured to utilize a CAC when authenticating administrative users. If the AS is not configured to meet this requirement, this is a finding.

Fix Text (F-39849r1_fix)
Configure the AS to utilize CAC based authentication for network access to privileged accounts.