| V-16151 | High | The Security Mode is not configured to “Hard” on the Sun Ray server. | Soft security mode ensures that every client requesting a session gets one, even if security requirements cannot be met. As a result, the soft security mode grants insecure sessions. Hard... |
| V-16071 | High | Default administrator account is used to access the administration tool. | The default administrator account, “admin”, does not provide an audit trail of who logged in and the default password may be easily guessed or be publicly known. If system administrators use the... |
| V-16072 | High | Unauthorized users have access to the Sun Ray administration tool. | Unauthorized users accessing the Sun Ray administration tool could modify or disable the entire Sun Ray server or network. Unrestricted access may also give access to other operating system... |
| V-16064 | High | Self-registration is permitted for users. | Sun Ray Desktop Unit users are not registered centrally for users by the system administrator. With self-registration, the system administrator does not assign registered tokens to the authorized... |
| V-16157 | Medium | The Sun Ray server does not record log files. | Logs form a recorded history or audit trail of the Sun Ray server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece... |
| V-16155 | Medium | A failover group signature is not configured on all Sun Ray servers in the failover group. | Without the use of a failover group signature, an unauthorized Sun Ray server may become a member of the group, thereby receiving replication traffic. Servers in a group authenticate one another... |
| V-16153 | Medium | The Sun Ray system is not configured for high availability. | High availability is important when implementing the Sun Ray system since users authenticate and establish sessions with the Sun Ray servers. User data may also be stored on the Sun Ray server,... |
| V-16145 | Medium | The Sun Ray server console administration sessions are not encrypted. | Unencrypted Sun Ray server console sessions do not protect the information transmitted from being read or viewed by anyone. Unencrypted sessions are vulnerable to a number of attacks to include... |
| V-16075 | Medium | Sun Ray Server administrator session default timeout is used. | Administrator sessions to the Sun Ray Server are critical to the availability and integrity of the system. The default timeout for these sessions is 30 minutes of inactivity. This session... |
| V-16159 | Medium | The Sun Ray audit logs are not retained for a minimum of one year. | Storing log files for at least a year provides a way to recover these files in case an investigation is necessary. Typically these files are stored offline on tape media or external networks. Log... |
| V-16158 | Medium | The Sun Ray server logs are more permissive than 640. | The Sun Ray server logs should be appropriately secured, having file permissions that restrict unauthorized changes or viewing. Unauthorized users accessing the audit logs may delete, modify, or... |
| V-16379 | Medium | There is no documented baseline of the default setuid and setgid files. | There are programs that have setuid and setgid flags set within the Sun Ray server. Setuid is a flag that allows an application to temporarily change the permissions of the user running the... |
| V-16351 | Medium | Administrative password is not configured for Desktop Units. | From a physical security perspective, the DTU pop-menu is accessible, therefore a username/password or administrative only password is recommended to protect the device from unauthorized changes... |
| V-16083 | Medium | Sun Ray Desktop Units firmware is not at the minimum version. | All Sun Ray firmware is supported by the Sun Ray Desktop Units PROM. Therefore, older versions of the Sun Ray firmware may not be as secure as newer versions. In order to support encryption... |
| V-16395 | Medium | Sun Ray Server is not properly registered in VMS or database. | The Vulnerability Management System (VMS) was developed to interface with the DOD Enterprise tools to assist all DOD CC/S/As in the identification of security vulnerabilities and track the issues... |
| V-16394 | Medium | The Sun Management Center does not monitor daemons, failover groups, and interconnects. | Without an on-line monitoring system in place, unusual or inappropriate activity will could go unnoticed or without detection. Activity could include system services stopping, starting, file... |
| V-16146 | Medium | Sun Ray Desktop Unit to server communication is not encrypted. | In earlier versions of Sun Ray Server Software, data packets on the Sun Ray interconnect were sent in the clear or in plaintext. This made it easy to “snoop” the traffic and recover vital and... |
| V-16396 | Medium | Sun Ray servers are not configured with the correct posture in VMS. | Correctly configuring the Sun Ray asset in VMS will ensure that the appropriate vulnerabilities are assigned to the asset. If the asset is not configured with the correct posture, vulnerabilities... |
| V-16143 | Medium | USB ports are not disabled for all Sun Ray Desktop Units. This requirement excludes the keyboard and mouse. | Enabled USB ports may be used by users to store files, scripts, and executables. USB thumb drives, USB hard drives, and USB appliances may be inserted into these ports. If unapproved... |
| V-16100 | Medium | Sun Ray Server software patches are not tested in a development environment first before deploying to production. | Organizations need to stay current with all applicable Sun Ray Server software updates that are released from Sun Microsystems. New Sun Ray Server patches and updates should be reviewed for the... |
| V-16061 | Medium | Sun Ray Desktop Unit traffic is not isolated logically through the use of a dedicated VLAN or network segment. | Isolated LANs provide a greater degree of security than traditional LANs since only authorized users and devices are allowed to connect. Authorized users and devices are configured through the... |
| V-16103 | Medium | The Sun Ray server software is not current with the latest available patches. | Sun Ray software patches mitigate many known vulnerabilities. To ensure that attackers cannot take advantage of known Sun Ray vulnerabilities, applicable software patches must be applied as they... |
| V-16148 | Medium | Server Authentication is not configured on the Sun Ray server. | It is possible to spoof a Sun Ray server or a Sun Ray client and pose as either. This leads to the man-in-the-middle attack, in which an impostor claims to be the Sun Ray server for the clients... |
| V-17455 | Medium | The Sun Ray Session Server (SRSS) is not located in a DMZ or screened subnet. | If the SSRS is configured to service external clients from the internal enclave, there is a potential that an external adversary can obtain information about internal hosts that could assist the... |
| V-16349 | Medium | The Sun Ray system backups are not performed in accordance with the assigned MAC level. | The three MAC level has different requirements for backing up data. For MAC III systems it is necessary to ensure that backups are performed weekly. For MAC II systems backups are performed daily... |
| V-16063 | Low | Users kiosk mode timeout is configured with no value. | If no value is specified for the number of seconds for a disconnected kiosk session, the termination of disconnected sessions will be disabled. This could potentially leave open sessions and may... |
| V-16393 | Low | Sun Ray server does not send logs to syslog server. | Remote logging is essential in monitoring servers and detecting intrusion. If an intruder is able to obtain root on a host, they may be able to edit the system logs to remove all traces of the... |
| V-16062 | Low | User tokens are not forced to authenticate to the Sun Ray Server. | The Sun Ray Server must be configured to permit access only to smart cards that are registered in the Sun Ray Datastore. |
| V-16354 | Low | Sun Ray Desktop Units are not assigned with DHCP reserved IP addresses. | Sun Ray servers will not distribute DHCP addresses to non-Sun Ray Desktop Units. Configuring Sun Ray Desktop Units with reserved IP addresses will ensure no rogue desktop units are attached to... |
