The Application Server must implement separation of duties by requiring administrative duties to be divided into distinct roles

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35742	SRG-APP-000062-AS-000028	SV-47029r1_rule		Medium

Description
Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. Additionally, the person or persons accountable for monitoring the activity must be separate as well. To meet this requirement, the AS must divide administrative functionality into roles according to AS duties. Application server vendors may choose to name their respective server management roles differently; however, all roles should be divided according to application server management functionality. For example: - AS administrator: has complete control of all aspects of AS configuration and management. - Configuration administrator: is responsible for the persistent configuration of the server but cannot perform runtime operations (e.g., can install applications but cannot start or stop the server). - Operator administrator: is responsible for the runtime operations management of starting and stopping the server but cannot install applications. - Monitor (internal auditor or reviewer): can view configuration and runtime settings but cannot change anything.

Description

Separation of duties is a prevalent Information Technology control that is implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out that action. Additionally, the person or persons accountable for monitoring the activity must be separate as well. To meet this requirement, the AS must divide administrative functionality into roles according to AS duties. Application server vendors may choose to name their respective server management roles differently; however, all roles should be divided according to application server management functionality. For example: - AS administrator: has complete control of all aspects of AS configuration and management. - Configuration administrator: is responsible for the persistent configuration of the server but cannot perform runtime operations (e.g., can install applications but cannot start or stop the server). - Operator administrator: is responsible for the runtime operations management of starting and stopping the server but cannot install applications. - Monitor (internal auditor or reviewer): can view configuration and runtime settings but cannot change anything.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44085r1_chk )
Review AS product documentation and configuration to ensure roles that divide administrative duties are established or can be created. If the AS is not configured to meet this requirement, this is a finding.

Fix Text (F-40285r1_fix)
Create and configure the appropriate accounts and align them in their respective roles as identified in the product documentation.