V-246940 | High | ONTAP must be configured to use an authentication server to provide multifactor authentication. | Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With... |
V-246946 | High | ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
V-246964 | High | ONTAP must be configured to send audit log data to a central log server. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in... |
V-246927 | High | ONTAP must enforce administrator privileges based on their defined roles. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate... |
V-246959 | High | ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
V-246958 | High | ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be... |
V-246930 | High | ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or... |
V-246947 | Medium | ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role. | To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated.
Individual accountability mandates that each administrator... |
V-246944 | Medium | ONTAP must be configured to conduct backups of system level information. | System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the... |
V-246945 | Medium | ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates. | Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified... |
V-246948 | Medium | ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
V-246949 | Medium | ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
V-246922 | Medium | ONTAP must be configured to limit the number of concurrent sessions. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per... |
V-246923 | Medium | ONTAP must be configured to create a session lock after 15 minutes. | A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user... |
V-246925 | Medium | ONTAP must automatically audit account-enabling actions. | Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to... |
V-246926 | Medium | ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. | Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server... |
V-246955 | Medium | ONTAP must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
V-246954 | Medium | ONTAP must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
V-246951 | Medium | ONTAP must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
V-246950 | Medium | ONTAP must authenticate NTP sources using authentication that is cryptographically based. | If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which... |
V-246953 | Medium | ONTAP must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
V-246952 | Medium | ONTAP must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
V-246933 | Medium | ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. | Audit records are stored on staging volumes when auditing is enabled. If the staging volumes do not exist when auditing is enabled, the auditing subsystem creates the staging volumes. These... |
V-246932 | Medium | ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. | Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
V-246931 | Medium | ONTAP must be configured to enforce the limit of three consecutive failed logon attempts. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
V-246936 | Medium | ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other... |
V-246935 | Medium | ONTAP must have audit guarantee enabled. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. With audit guarantee enabled, all SMB operations must generate an... |
V-246939 | Medium | ONTAP must enforce access restrictions associated with changes to the device configuration. | Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system.
When dealing with access... |
V-246938 | Medium | ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time.... |