An error occurred:

Check: SRG-APP-000149-AS-000102

Application Server SRG: SRG-APP-000149-AS-000102 (in versions v3 r4 through v2 r2)

Title

The application server must use multifactor authentication for network access to privileged accounts. (Cat I impact)

Discussion

Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user. Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition. A privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface. When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled.

Check Content

Review the application server configuration to ensure the system is authenticating via multifactor authentication for privileged users. If all aspects of application server web management interfaces are not authenticating privileged users via multifactor authentication methods, this is a finding.

Fix Text

Configure the application server to authenticate privileged users via multifactor authentication for network access to the management interface.

Additional Identifiers

Rule ID: SV-204746r879590_rule

Vulnerability ID: V-204746

Group Title: SRG-APP-000149

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000765

The information system implements multifactor authentication for network access to privileged accounts.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-2 (1)

Network Access To Privileged Accounts