Check: CF11-04-000128
Adobe ColdFusion 11 STIG:
CF11-04-000128
(in versions v2 r1 through v1 r2)
Title
ColdFusion must authenticate users individually. (Cat II impact)
Discussion
To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. ColdFusion is installed with a Root Administrator Account. This account is configured during the installation phase. This account should only be used for initial setup before user accounts are created and should not be used for day-to-day operations. When used as a group account, accountability, along with least privileges for the users, is lost.
Check Content
Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. If there are no defined users, this is a finding.
Fix Text
Navigate to the "User Manager" page under the "Security" menu. Create users that need access to the Administrator Console providing only the roles necessary to perform each job function.
Additional Identifiers
Rule ID: SV-237189r641662_rule
Vulnerability ID: V-237189
Group Title: SRG-APP-000153-AS-000104
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
Controls
Number | Title |
---|---|
IA-2(5) |
Group Authentication |