Title

ColdFusion must not have local users. (Cat III impact)

Discussion

To maintain accountability and enforce access control policies, ColdFusion must require each user to authenticate using a unique account. Shared or generic accounts prevent the ability to associate user actions with specific individuals, which undermines auditing, accountability, and incident response capabilities. Unique user accounts ensure that each action taken within the ColdFusion environment can be attributed to a specific, identifiable user. This is essential for detecting misuse, investigating anomalies, and ensuring compliance with security policies.

Check Content

Verify there are no local users. 1. From the Admin Console Landing Screen, navigate to Security >> User Manager. 2. For each user, validate "External User" is checked and "User Type" is selected. If "External User" is not checked and "User Type" is not selected, this is a finding.

Fix Text

Configure External User Accounts: 1. From the Admin Console Landing Screen, navigate to Security >> User Manager. 2. For any user accounts where "External User" is not checked and "User Type" is not selected: a. Edit the user account (or remove the account if it should not exist). b. Check the box for "External User". c. Select the appropriate "User Type". d. Click "Update User" to save the changes. e. Verify that no local user accounts remain and that all users are correctly configured as external.

Additional Identifiers

Rule ID: SV-279033r1171269_rule

Vulnerability ID: V-279033

Group Title: SRG-APP-000080-AS-000045

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.