UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Application Server must implement separation of duties by requiring administrative duties to be divided into distinct roles


Overview

Finding ID Version Rule ID IA Controls Severity
V-35742 SRG-APP-000062-AS-000028 SV-47029r1_rule Medium
Description
Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. Additionally, the person or persons accountable for monitoring the activity must be separate as well. To meet this requirement, the AS must divide administrative functionality into roles according to AS duties. Application server vendors may choose to name their respective server management roles differently; however, all roles should be divided according to application server management functionality. For example: - AS administrator: has complete control of all aspects of AS configuration and management. - Configuration administrator: is responsible for the persistent configuration of the server but cannot perform runtime operations (e.g., can install applications but cannot start or stop the server). - Operator administrator: is responsible for the runtime operations management of starting and stopping the server but cannot install applications. - Monitor (internal auditor or reviewer): can view configuration and runtime settings but cannot change anything.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-44085r1_chk )
Review AS product documentation and configuration to ensure roles that divide administrative duties are established or can be created. If the AS is not configured to meet this requirement, this is a finding.
Fix Text (F-40285r1_fix)
Create and configure the appropriate accounts and align them in their respective roles as identified in the product documentation.