The Manager Web app password must be configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-224785	ISEC-06-550700	SV-224785r505933_rule		Medium

Description
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: SRG-APP-000164, SRG-APP-000166, SRG-APP-000169

Description

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: SRG-APP-000164, SRG-APP-000166, SRG-APP-000169

STIG	Date
ISEC7 Sphere Security Technical Implementation Guide	2020-09-04

Details

Check Text ( C-26476r461611_chk )
Verify the Manager Web app password has been configured as follows: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character Login to the ISEC7 EMM Suite server. Open a Web browser and go to https://localhost/manager/html Login with the custom administrator login and password. Verify password entered meets complexity requirements. If the Manager Web app password has not been configured as required, this is a finding.

Check Text ( C-26476r461611_chk )

Verify the Manager Web app password has been configured as follows:
-15 or more characters
-at least one lower case letter
-at least one upper case letter
-at least one number
-at least one special character

Login to the ISEC7 EMM Suite server.
Open a Web browser and go to https://localhost/manager/html
Login with the custom administrator login and password. Verify password entered meets complexity requirements.

If the Manager Web app password has not been configured as required, this is a finding.

Fix Text (F-26464r461612_fix)
To set a strong password on the Manager Web app, run the ISEC7 integrated installer or use the following manual procedure: Login to the ISEC7 EMM Suite server. Browse to :\Program Files\ISEC7 EMM Suite\Tomcat\conf and open Tomcat-Users.xml Open the Command Prompt and CD to :\Program Files\ISEC7 EMM Suite\Tomcat\bin Execute the following using 'sha' command: digest –a sha password* *where password is the 15 character password designated for the account Copy the output, which is the hashed digest password. In Tomcat-Users.xml, add in the password for the user with the obfuscated output at example: Save the file. Open :\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe Enter: resourceName="UserDatabase" digest=”sha”/> Save the file. Restart the ISEC7 EMM Suite Web service using the services.msc Note: the password must meet the following complexity requirements: -15 or more characters -at least one lower case letter -at least one upper case letter -at least one number -at least one special character

Fix Text (F-26464r461612_fix)

To set a strong password on the Manager Web app, run the ISEC7 integrated installer or use the following manual procedure:

Login to the ISEC7 EMM Suite server.
Browse to :\Program Files\ISEC7 EMM Suite\Tomcat\conf and open Tomcat-Users.xml
Open the Command Prompt and CD to :\Program Files\ISEC7 EMM Suite\Tomcat\bin
Execute the following using 'sha' command:

digest –a sha password*

*where password is the 15 character password designated for the account

Copy the output, which is the hashed digest password.
In Tomcat-Users.xml, add in the password for the user with the obfuscated output at
example:

Save the file.
Open :\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe
Enter: resourceName="UserDatabase" digest=”sha”/>
Save the file.
Restart the ISEC7 EMM Suite Web service using the services.msc

Note: the password must meet the following complexity requirements:
-15 or more characters
-at least one lower case letter
-at least one upper case letter
-at least one number
-at least one special character