The application server must enforce approved authorizations for logical access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35738	SRG-APP-000033-AS-000024	SV-47025r1_rule		High

Description
Strong access controls are critical to securing the AS. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by the AS to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, application domains) in the AS. Without stringent logical access and authorization controls, an adversary may have the ability, with very little effort, to compromise the AS and associated supporting infrastructure.

Description

Strong access controls are critical to securing the AS. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) must be employed by the AS to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, application domains) in the AS. Without stringent logical access and authorization controls, an adversary may have the ability, with very little effort, to compromise the AS and associated supporting infrastructure.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44081r1_chk )
Review AS product documentation and configuration to determine if the system enforces authorization requirements for logical access to the system in accordance with applicable policy. If the AS is not configured to utilize access controls, this is a finding.

Fix Text (F-40281r1_fix)
Configure the AS to enforce approved authorizations for logical access to the system in accordance with applicable policy.