An error occurred:

Check: SRG-APP-000211-AS-000146

Application Server SRG: SRG-APP-000211-AS-000146 (in versions v3 r4 through v2 r2)

Title

The application server must separate hosted application functionality from application server management functionality. (Cat II impact)

Discussion

The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker to functionality and information needed to further the attack on the application server. Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. The hosted application and hosted application functionality consists of the assets needed for the application to function, such as the business logic, databases, user authentication, etc. The separation of application server administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate.

Check Content

Review the application server documentation and configuration to verify that the application server separates admin functionality from hosted application functionality. If the application server does not separate application server admin functionality from hosted application functionality, this is a finding.

Fix Text

Configure the application server so that admin management functionality and hosted applications are separated.

Additional Identifiers

Rule ID: SV-204761r879631_rule

Vulnerability ID: V-204761

Group Title: SRG-APP-000211

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001082

The information system separates user functionality (including user interface services) from information system management functionality.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-2

Application Partitioning