The application server must employ strong identification and authentication techniques when establishing non-local maintenance and diagnostic sessions
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35332 | SRG-APP-000185-AS-000131 | SV-46619r1_rule | Medium |
| Description |
|---|
| Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Application servers will typically utilize an HTTP interface for providing both local and remote maintenance and diagnostic sessions. In these instances, an acceptable strong identification and authentication technique consists of utilizing two-factor authentication via secured HTTPS connections. If the application server also provides maintenance and diagnostic access via a fat client or other client-based connection, then that client must also utilize two-factor authentication and use FIPS-approved encryption modules for establishing transport connections. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43700r1_chk ) |
|---|
| Review the AS configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. If the AS is not authenticating through the Enterprise Authentication Mechanism, this is a finding. |
| Fix Text (F-39878r1_fix) |
|---|
| Configure the AS to authenticate through the Enterprise Authentication Mechanism. |