| V-246940 ||High ||ONTAP must be configured to use an authentication server to provide multifactor authentication. ||Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With... |
| V-246946 ||High ||ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services. ||In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must... |
| V-246964 ||High ||ONTAP must be configured to send audit log data to a central log server. ||The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in... |
| V-246927 ||High ||ONTAP must enforce administrator privileges based on their defined roles. ||To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate... |
| V-246959 ||High ||ONTAP must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements. ||Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port... |
| V-246958 ||High ||ONTAP must be configured to implement cryptographic mechanisms using FIPS 140-2. ||Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be... |
| V-246930 ||High ||ONTAP must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. ||Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or... |
| V-246947 ||Medium ||ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role. ||To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated.
Individual accountability mandates that each administrator... |
| V-246944 ||Medium ||ONTAP must be configured to conduct backups of system level information. ||System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the... |
| V-246945 ||Medium ||ONTAP must use DoD-approved PKI rather than proprietary or self-signed device certificates. ||Each organization obtains user certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified... |
| V-246948 ||Medium ||ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts. ||A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be... |
| V-246949 ||Medium ||ONTAP must be configured to authenticate SNMP messages using FIPS-validated Keyed-HMAC. ||Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate... |
| V-246963 ||Medium ||ONTAP must be configured to use a data authentication key to safeguard against denial-of-service (DoS) attacks. ||DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
| V-246922 ||Medium ||ONTAP must be configured to limit the number of concurrent sessions. ||Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per... |
| V-246923 ||Medium ||ONTAP must be configured to create a session lock after 15 minutes. ||A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user... |
| V-246925 ||Medium ||ONTAP must automatically audit account-enabling actions. ||Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to... |
| V-246926 ||Medium ||ONTAP must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable. ||Authentication for administrative (privileged-level) access to the device is required at all times. An account can be created on the device's local database for use when the authentication server... |
| V-246955 ||Medium ||ONTAP must enforce password complexity by requiring that at least one special character be used. ||Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246954 ||Medium ||ONTAP must enforce password complexity by requiring that at least one numeric character be used. ||Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246951 ||Medium ||ONTAP must enforce a minimum 15-character password length. ||Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to... |
| V-246950 ||Medium ||ONTAP must authenticate NTP sources using authentication that is cryptographically based. ||If Network Time Protocol (NTP) is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which... |
| V-246953 ||Medium ||ONTAP must enforce password complexity by requiring that at least one lowercase character be used. ||Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246952 ||Medium ||ONTAP must enforce password complexity by requiring that at least one uppercase character be used. ||Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in... |
| V-246933 ||Medium ||ONTAP must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. ||Audit records are stored on staging volumes when auditing is enabled. If the staging volumes do not exist when auditing is enabled, the auditing subsystem creates the staging volumes. These... |
| V-246932 ||Medium ||ONTAP must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device. ||Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
| V-246931 ||Medium ||ONTAP must be configured to enforce the limit of three consecutive failed logon attempts. ||By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. |
| V-246936 ||Medium ||ONTAP must be configured to synchronize internal information system clocks using redundant authoritative time sources. ||The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other... |
| V-246935 ||Medium ||ONTAP must have audit guarantee enabled. ||It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. With audit guarantee enabled, all SMB operations must generate an... |
| V-246939 ||Medium ||ONTAP must enforce access restrictions associated with changes to the device configuration. ||Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system.
When dealing with access... |
| V-246938 ||Medium ||ONTAP must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). ||If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.
Time stamps generated by the application include date and time.... |