Check: CF11-01-000001
Adobe ColdFusion 11 STIG:
CF11-01-000001
(in versions v2 r1 through v1 r2)
Title
ColdFusion must limit concurrent sessions to the Administrator Console. (Cat III impact)
Discussion
The ColdFusion Administrator Console is used to manage the ColdFusion application server. The console allows a user to configure settings used by hosted applications, maintain connections to external resources, review logs, etc. By disallowing concurrent logons, a user has a method to determine if his account has been comprised (The user will be unable to log into the Administrator Console.) and deters a user from having an open idle session from different work stations which can also be used by an attacker.
Check Content
Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. If the setting "Allow concurrent login sessions for Administrator Console" is checked, this is a finding.
Fix Text
Within the Administrator Console, navigate to the "Administrator" settings under the "Security" menu. To disable concurrent logins, uncheck the "Allow concurrent login sessions for Administrator Console" setting and select the "Submit Changes" button.
Additional Identifiers
Rule ID: SV-237137r641506_rule
Vulnerability ID: V-237137
Group Title: SRG-APP-000001-AS-000001
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000054 |
Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number. |
Controls
| Number | Title |
|---|---|
| AC-10 |
Concurrent Session Control |