The MDM server must obscure a password when it is entered on the server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-36026 | SRG-APP-178-MDM-023-SRV | SV-47415r1_rule | Low |
| Description |
|---|
| To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the MDM server shall not provide any information that would allow an unauthorized user to compromise the authentication mechanism. During the authentication process, malicious users can gain knowledge of passwords by simply walking by a user logging on, and viewing what had been input. Obfuscation of user provided information when typed into the system is a method used in addressing this risk. |
| STIG | Date |
|---|---|
| Mobile Device Manager Security Requirements Guide | 2013-01-24 |
Details
| Check Text ( C-44265r1_chk ) |
|---|
| Review the MDM server configuration to determine whether passwords entered are obfuscated. It is acceptable for the passwords to be revealed for very brief periods of time (less than a second), so the user can verify if the character was entered correctly. Characters may be obfuscated via asterisks or other means. If the MDM server does not otherwise hide passwords as they are entered, this is a finding. |
| Fix Text (F-40556r1_fix) |
|---|
| Configure the MDM server to obscure passwords when entered. |