Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254093	SPEC-IN-000280	SV-254093r845255_rule		High

Description
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). Satisfies: SRG-APP-000149, SRG-APP-000024, SRG-APP-000025, SRG-APP-000026, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000065, SRG-APP-000148, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000174, SRG-APP-000175, SRG-APP-000176, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000295, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000356, SRG-APP-000391, SRG-APP-000392, SRG-APP-000397, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000427

Description

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). Satisfies: SRG-APP-000149, SRG-APP-000024, SRG-APP-000025, SRG-APP-000026, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000065, SRG-APP-000148, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000174, SRG-APP-000175, SRG-APP-000176, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000295, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000356, SRG-APP-000391, SRG-APP-000392, SRG-APP-000397, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000427

STIG	Date
SPEC Innovations Innoslate 4.x Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-57578r845253_chk )
1. Enter the settings.properties file located at C:\Innoslate4\apache-tomcat\webapps\Innoslate4\WEB-INF. 2. Find the LDAP fields. 3. Verify LDAP information is correct. If not, this is a finding. The LDAP Fields should look (not exactly) like this: " LDAP_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory LDAP_PROVIDER_URLS = ldap://providerUrl.com LDAP_SECURITY_AUTHENTICATION = none LDAP_SECURITY_PRINCIPAL = CN=Admin Innoslate,CN=Users,DC=Innoslateactive,DC=com LDAP_SECURITY_CREDENTIALS = password LDAP_USER_CONTEXT = CN=Users,DC=Innoslateactive,DC=com LDAP_USER_OBJECT_CLASS = user LDAP_USER_UID_ATTRIBUTE = sAMAccountName LDAP_CONNECT_TIMEOUT = 1000 LDAP_READ_TIMEOUT = 5000 LDAP_USER_EMAIL_ATTRIBUTE = mail LDAP_USER_FIRST_NAME_ATTRIBUTE = givenName LDAP_USER_LAST_NAME_ATTRIBUTE = sn LDAP_USER_PHONE_NUMBER_ATTRIBUTE = telephoneNumber LDAP_USER_COMPANY_ATTRIBUTE = company LDAP_USER_SEARCH_FILTER = (&(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))) "

Check Text ( C-57578r845253_chk )

1. Enter the settings.properties file located at C:\Innoslate4\apache-tomcat\webapps\Innoslate4\WEB-INF.
2. Find the LDAP fields.
3. Verify LDAP information is correct. If not, this is a finding.

The LDAP Fields should look (not exactly) like this:

"
LDAP_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory
LDAP_PROVIDER_URLS = ldap://providerUrl.com
LDAP_SECURITY_AUTHENTICATION = none
LDAP_SECURITY_PRINCIPAL = CN=Admin Innoslate,CN=Users,DC=Innoslateactive,DC=com
LDAP_SECURITY_CREDENTIALS = password
LDAP_USER_CONTEXT = CN=Users,DC=Innoslateactive,DC=com
LDAP_USER_OBJECT_CLASS = user
LDAP_USER_UID_ATTRIBUTE = sAMAccountName
LDAP_CONNECT_TIMEOUT = 1000
LDAP_READ_TIMEOUT = 5000
LDAP_USER_EMAIL_ATTRIBUTE = mail
LDAP_USER_FIRST_NAME_ATTRIBUTE = givenName
LDAP_USER_LAST_NAME_ATTRIBUTE = sn
LDAP_USER_PHONE_NUMBER_ATTRIBUTE = telephoneNumber
LDAP_USER_COMPANY_ATTRIBUTE = company
LDAP_USER_SEARCH_FILTER = (&(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
"

Fix Text (F-57529r845254_fix)
1. Enter settings.properties file. 2. Change the AUTHENTICATION_TYPE to "CAC". 3. Save. 4. Restart the Innoslate service.