The DBMS, if using multifactor authentication when accessing non-privileged accounts via the network, must provide one of the factors by a device that is separate from the information system gaining access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32449	SRG-APP-000155-DB-000110	SV-42786r1_rule		Medium

Description
Multifactor authentication is using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A non-privileged account is an information system account with authorizations of a non-privileged user or simply, a regular user. Network access is any access to an information system by a user (or process acting on behalf of a user) where said access is obtained through a network connection. Out Of Band 2 Factor Authentication is when one of the authentication factors is provided by a device separate from the system that is used to gain access. For example, a mobile device, such as a smart phone, is registered within the application to an application user. Upon a successful authentication, the system sends instructions to the registered mobile device in the form of on-screen prompts instructing the user on how to complete the login process. OOB2FA employs separate communication channels where at least one is independently maintained and trusted to authenticate an end user. Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access. An example of a separate device would be an RSA token. Weak authentication can allow easy access for unauthorized users.

Description

Multifactor authentication is using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A non-privileged account is an information system account with authorizations of a non-privileged user or simply, a regular user. Network access is any access to an information system by a user (or process acting on behalf of a user) where said access is obtained through a network connection. Out Of Band 2 Factor Authentication is when one of the authentication factors is provided by a device separate from the system that is used to gain access. For example, a mobile device, such as a smart phone, is registered within the application to an application user. Upon a successful authentication, the system sends instructions to the registered mobile device in the form of on-screen prompts instructing the user on how to complete the login process. OOB2FA employs separate communication channels where at least one is independently maintained and trusted to authenticate an end user. Applications using multifactor authentication when accessing non-privileged accounts via the network must provide one of the factors by a device separate from the information system gaining access. An example of a separate device would be an RSA token. Weak authentication can allow easy access for unauthorized users.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40888r1_chk )
Review DBMS settings to determine whether one of the factors, when using multifactor authentication of non-privileged accounts via the network, is separate from the information system gaining access. If one of the factors is not a device separate from the information system gaining access (i.e., an RSA token), this is a finding.

Fix Text (F-36364r1_fix)
Configure DBMS software to require multifactor authentication, with one of the factors being a device separate from the information system gaining access, when accessing non-privileged accounts via the network.