UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Server Authentication is not configured on the Sun Ray server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16148 SUN0180 SV-17137r1_rule ECSC-1 Medium
Description
It is possible to spoof a Sun Ray server or a Sun Ray client and pose as either. This leads to the man-in-the-middle attack, in which an impostor claims to be the Sun Ray server for the clients and pretends to be a client for the server. It then goes about intercepting all the messages and having access to all the secure data. Client and server authentication can resolve this type of attack. Server-side authentication is only supported, through the pre-configured public-private key pairs in Sun Ray Server Software and firmware. The Digital Signature Algorithm (DSA) is used to verify that clients are communicating with a valid Sun Ray server. This authentication scheme is not completely foolproof, but it mitigates man-in-the-middle attacks and makes it harder for attackers to spoof Sun Ray Server Software.
STIG Date
Sun Ray 4 STIG 2015-04-02

Details

Check Text ( C-17190r1_chk )
Within the Sun Ray Administration console, perform the following:
1. Select the Advanced Tab.
2. Select the Security Tab.
3. Verify that “Server Authentication” is checked. If it is not checked, this is a finding.
Fix Text (F-16252r1_fix)
Enable Server Authentication for the Sun Ray server.