The application server must provide automated mechanisms for user account management.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35716	SRG-APP-000023-AS-000015	SV-47003r1_rule		Medium

Description
This requirement addresses the user management capability of the application server software, it does not address applications that reside on top of the application server. The automated mechanisms may reside within the application server itself or the application server developer/vendor may choose to utilize capabilities offered by the operating system or other user management infrastructure in order to provide automated user account management. Examples of automation include but are not limited to: -taking automated action on multiple user accounts designated as inactive, suspended, or terminated. -disabling accounts located in non-centralized account stores such as multiple servers. - scheduling automated jobs that perform various application server user management activities. If the application server does not provide automated mechanisms for user account management, the potential exists for the mis-management of accounts. This includes failure to disable all of the accounts associated with a particular user or process. The application server must provide the ability to automate user account management tasks across multiple servers, such as when there are clusters of application servers, or the application server must fully integrate with enterprise-level user account management tools that provide this capability, such as Lightweight Directory Access Protocol (LDAP) services.

Description

This requirement addresses the user management capability of the application server software, it does not address applications that reside on top of the application server. The automated mechanisms may reside within the application server itself or the application server developer/vendor may choose to utilize capabilities offered by the operating system or other user management infrastructure in order to provide automated user account management. Examples of automation include but are not limited to: -taking automated action on multiple user accounts designated as inactive, suspended, or terminated. -disabling accounts located in non-centralized account stores such as multiple servers. - scheduling automated jobs that perform various application server user management activities. If the application server does not provide automated mechanisms for user account management, the potential exists for the mis-management of accounts. This includes failure to disable all of the accounts associated with a particular user or process. The application server must provide the ability to automate user account management tasks across multiple servers, such as when there are clusters of application servers, or the application server must fully integrate with enterprise-level user account management tools that provide this capability, such as Lightweight Directory Access Protocol (LDAP) services.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44059r1_chk )
Review the AS product documentation and configuration to determine if the AS is configured to provide automated support for account management functions. If the AS is not configured to meet this requirement, this is a finding.

Fix Text (F-40259r1_fix)
Configure the AS to automate user account management.