Check: APAS-CF-000310
Adobe ColdFusion STIG:
APAS-CF-000310
(in version v1 r1)
Title
ColdFusion must be using an enterprise solution for authentication. (Cat I impact)
Discussion
If ColdFusion is not integrated with an enterprise authentication solution, the system may rely on unmanaged local accounts that are difficult to monitor, audit, and control. This can lead to inconsistent password policies, outdated or orphaned credentials, and a lack of centralized visibility over user access. This STIG standard requires using LDAP as the enterprise authentication mechanism. LDAP integration ensures that authentication is managed through a centralized directory, allowing for strong password enforcement, account lifecycle management, role-based access control, and consolidated audit logging. Without LDAP integration, users may circumvent enterprise identity governance policies, increasing the risk of unauthorized access and administrative oversight gaps. Enterprise authentication also supports incident response and forensic analysis by enabling consistent tracking of user activities across systems. Relying on ColdFusion's internal authentication alone limits these capabilities and weakens the overall security posture. Integrating ColdFusion with an LDAP-based enterprise authentication service ensures alignment with DOD security standards, improves identity management, and reduces the risk of account compromise or privilege escalation. Satisfies: SRG-APP-000149-AS-000102, SRG-APP-000118-AS-000078, SRG-APP-000120-AS-000080, SRG-APP-000133-AS-000092, SRG-APP-000148-AS-000101, SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248, SRG-APP-000404-AS-000249, SRG-APP-000405-AS-000250, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000506-AS-000231, SRG-APP-000163-AS-000111, SRG-APP-000705-AS-000110
Check Content
Verify LDAP is in use. From the Admin Console Landing Screen, navigate to Security >> Administrator. If "External Authentication" is set to "NONE", this is a finding.
Fix Text
Configure LDAP. 1. From the Admin Console Landing Screen, navigate to Security >> Administrator >> External Authentication" tab. 2. Configure LDAP: - Select "LDAP" option. - Click "Edit LDAP Configuration". - Enter LDAP Details. - Click "SAVE". 3. If connection is verified, click "Submit Changes".
Additional Identifiers
Rule ID: SV-279055r1171527_rule
Vulnerability ID: V-279055
Group Title: SRG-APP-000149-AS-000102
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
Protect audit information from unauthorized access. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000765 |
Implement multifactor authentication for access to privileged accounts. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
| CCI-001499 |
Limit privileges to change software resident within software libraries. |
| CCI-001953 |
Accept Personal Identity Verification-compliant credentials. |
| CCI-001954 |
Electronically verify Personal Identity Verification-compliant credentials. |
| CCI-002009 |
Accept Personal Identity Verification-compliant credentials from other federal agencies. |
| CCI-002010 |
Electronically verify Personal Identity Verification-compliant credentials from other federal agencies. |
| CCI-002011 |
The information system accepts FICAM-approved third-party credentials. |
| CCI-002014 |
The information system conforms to FICAM-issued profiles. |
| CCI-003628 |
Disable accounts when the accounts are no longer associated to a user. |
Controls
| Number | Title |
|---|---|
| AC-2(3) |
Disable Accounts |
| AU-9 |
Protection of Audit Information |
| AU-12 |
Audit Record Generation |
| CM-5(6) |
Limit Library Privileges |
| IA-2 |
Identification and Authentication (Organizational Users) |
| IA-2(1) |
Multi-factor Authentication to Privileged Accounts |
| IA-2(12) |
Acceptance of PIV Credentials |
| IA-8(1) |
Acceptance of PIV Credentials from Other Agencies |