UCF STIG Viewer Logo

Unified Endpoint Management Server Security Requirements Guide


Overview

Date Finding Count (143)
2020-12-14 CAT I (High): 11 CAT II (Med): 131 CAT III (Low): 1
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-234668 High The UEM server must be configured to implement FIPS 140-2 mode for all server and agent encryption.
V-234664 High The UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.
V-234555 High The UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.
V-234605 High The UEM server must be maintained at a supported version.
V-234383 High The UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.
V-234375 High For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
V-234588 High The UEM server must connect to [assignment: [list of applications]] and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.
V-234538 High Before establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.
V-234363 High The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
V-234408 High The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
V-234677 High The application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.
V-234410 Medium In the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-234622 Medium The UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.
V-234347 Medium The UEM server must back up audit records at least every seven days onto a log management server.
V-234341 Medium The UEM server must protect audit information from any type of unauthorized read access.
V-234340 Medium The UEM server must use host operating system clocks to generate time stamps for audit records.
V-234556 Medium The UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.
V-234342 Medium The UEM server must protect audit information from unauthorized modification.
V-234349 Medium The UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
V-234491 Medium The UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.
V-234659 Medium The UEM server must generate audit records for all account creations, modifications, disabling, and termination events.
V-234658 Medium The UEM server must generate audit records for all direct access to the information system.
V-234653 Medium The UEM server must generate audit records when successful/unsuccessful logon attempts occur.
V-234370 Medium The UEM server must enforce password complexity by requiring that at least one lowercase character be used.
V-234651 Medium The UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur.
V-234657 Medium The UEM server must generate audit records when successful/unsuccessful accesses to objects occur.
V-234656 Medium The UEM server must generate audit records when concurrent logons from different workstations occur.
V-234655 Medium The UEM server must generate audit records showing starting and ending time for user access to the system.
V-234654 Medium The UEM server must generate audit records for privileged activities or other system-level access.
V-234372 Medium The UEM server must enforce password complexity by requiring that at least one special character be used.
V-234465 Medium The UEM server must automatically audit account-enabling actions.
V-234466 Medium The UEM server must notify system administrator and Information System Security Officer (ISSO) of account enabling actions.
V-234543 Medium The UEM server must prohibit the use of cached authenticators after an organization-defined time period.
V-234544 Medium The UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
V-234330 Medium The UEM server must be configured to produce audit records containing information to establish where the events occurred.
V-234331 Medium The UEM server must be configured to produce audit records containing information to establish the source of the events.
V-234332 Medium The UEM server must be configured to produce audit records that contain information to establish the outcome of the events.
V-234333 Medium The UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.
V-234334 Medium The UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
V-234335 Medium The UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-234669 Medium The UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.
V-234666 Medium The UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-234667 Medium The UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.
V-234665 Medium The UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.
V-234523 Medium The UEM server must enforce access restrictions associated with changes to the server configuration.
V-234343 Medium The UEM server must protect audit information from unauthorized deletion.
V-234475 Medium The UEM server must be configured to have at least one user in defined administrator roles.
V-234473 Medium The UEM server must employ an audited override of automated access control mechanisms under organization-defined conditions.
V-234574 Medium The UEM server must be configured to use X.509v3 certificates for code signing for system software updates.
V-234575 Medium The UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.
V-234406 Medium The UEM server must invalidate session identifiers upon user logout or other session termination.
V-234573 Medium The UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
V-234323 Medium The UEM server must provide audit record generation capability for DoD-defined auditable events within all application components.
V-234673 Medium The UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-234327 Medium The UEM server must initiate session auditing upon startup.
V-234326 Medium The UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur.
V-234325 Medium The UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited.
V-234324 Medium The UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.
V-234329 Medium The UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred.
V-234328 Medium The UEM server must be configured to produce audit records containing information to establish what type of events occurred.
V-234407 Medium The UEM server must recognize only system-generated session identifiers.
V-234442 Medium The UEM server must automatically terminate a user session after an organization-defined period of user inactivity.
V-234443 Medium The UEM server must provide logout capability for user-initiated communication sessions.
V-234440 Medium The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account disabling actions.
V-234441 Medium The UEM server must notify system administrators and the Information System Security Officer (ISSO) for account removal actions.
V-234444 Medium The UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
V-234316 Medium The UEM server must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).
V-234315 Medium The UEM server must notify the user, upon successful logon (access) to the application, of the date and time of the last logon (access).
V-234310 Medium The UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
V-234311 Medium The UEM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.
V-234318 Medium The UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-234351 Medium The UEM server must limit privileges to change the software resident within software libraries.
V-234392 Medium The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-TLS, -HTTPS].
V-234390 Medium The UEM server must be configured to provide a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS].
V-234391 Medium The UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection:-IPsec,-SSH,-TLS, -HTTPS].
V-234519 Medium The UEM server must verify the digital signature of software before installation and alert the Information System Security Officer (ISSO), Information System Security Manager (ISSM), and other designated personnel if unauthorized software is detected.
V-234516 Medium The UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
V-234517 Medium The UEM server must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.
V-234596 Medium The UEM server must be configured to write to the server event log when invalid inputs are received.
V-234381 Medium The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.
V-234380 Medium The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
V-234382 Medium The UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-234409 Medium The UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.
V-234500 Medium The UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.
V-234275 Medium The UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.
V-234421 Medium The UEM server must check the validity of all data inputs.
V-234277 Medium The UEM server must initiate a session lock after a 15-minute period of inactivity.
V-234276 Medium The UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-234378 Medium When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-234425 Medium The UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO).
V-234426 Medium The UEM server must, when a component failure is detected, activate an organization-defined alarm and/or automatically shut down the application or the component.
V-234374 Medium For UEM server using password authentication, the application must store only cryptographic representations of passwords.
V-234623 Medium The UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.
V-234376 Medium The UEM server must enforce 24 hours/1 day as the minimum password lifetime.
V-234377 Medium The UEM server must enforce a 60-day maximum password lifetime restriction.
V-234279 Medium The MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures.
V-234278 Medium The MDM server must provide the capability for users to directly initiate a session lock.
V-234624 Medium The UEM server must alert the system administrator when anomalies in the operation of security functions are discovered.
V-234373 Medium The UEM server must require the change of at least 15 of the total number of characters when passwords are changed.
V-234603 Medium The UEM server must remove old software components after updated versions have been installed.
V-234532 Medium The UEM server must require users (administrators) to reauthenticate when roles change.
V-234533 Medium The UEM server must require end-point devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
V-234430 Medium The application must notify the Information System Security Manager (ISSM) and Information System Security Officer (ISSO) of failed security verification tests.
V-234369 Medium The UEM server must enforce password complexity by requiring that at least one uppercase character be used.
V-234368 Medium The UEM server must prohibit password reuse for a minimum of five generations.
V-234367 Medium The UEM server must enforce a minimum 15-character password length.
V-234366 Medium The UEM server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-234439 Medium The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are modified.
V-234364 Medium The UEM server must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.
V-234361 Medium The UEM server must be configured to use DoD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.
V-234360 Medium The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
V-234438 Medium The UEM server must notify system administrators and the Information System Security Officer (ISSO) when accounts are created.
V-234288 Medium The UEM server must automatically disable accounts after a 35-day period of account inactivity.
V-234289 Medium The UEM server must automatically audit account creation.
V-234283 Medium The UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
V-234286 Medium The UEM server must provide automated mechanisms for supporting account management functions.
V-234287 Medium The UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server.
V-234524 Medium The UEM server must audit the enforcement actions used to restrict access associated with changes to the application.
V-234526 Medium The UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.
V-234521 Medium The UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.
V-234520 Medium The UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.
V-234371 Medium The UEM server must enforce password complexity by requiring that at least one numeric character be used.
V-234352 Medium The UEM server must be configured to disable non-essential capabilities.
V-234353 Medium The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).
V-234405 Medium The UEM server must protect the authenticity of communications sessions.
V-234356 Medium The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.
V-234354 Medium The UEM server must be configured to use only documented platform APIs.
V-234355 Medium The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-234358 Medium All UEM server local accounts created during application installation and configuration must be removed. Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.
V-234674 Medium If cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum security strength of 112 bits or higher.
V-234649 Medium The UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur.
V-234489 Medium The UEM server must audit the execution of privileged functions.
V-234424 Medium The UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-234642 Medium The UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur.
V-234676 Medium The UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.
V-234645 Medium The UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur.
V-234646 Medium The UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur.
V-234629 Medium The UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates.
V-234292 Medium The UEM server must automatically audit account removal actions.
V-234291 Medium The UEM server must automatically audit account disabling actions.
V-234290 Medium The UEM server must automatically audit account modification.
V-234379 Medium When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.
V-234312 Low The UEM server must retain the access banner until the user acknowledges acceptance of the access conditions.