Check: SRG-APP-000154-UEM-000088
Unified Endpoint Management Server SRG:
SRG-APP-000154-UEM-000088
(in versions v2 r3 through v2 r1)
Title
The UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149. (Cat II impact)
Discussion
Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards, such as the U.S. Government Personal Identity Verification card and the DOD CAC. A privileged account is any information system account with authorizations of a privileged user. Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.
Check Content
Verify the UEM server uses DOD PKI for multifactor authentication. If the UEM server does not use DOD PKI for multifactor authentication, this is a finding.
Fix Text
Configure the UEM server to use DOD PKI for multifactor authentication.
Additional Identifiers
Rule ID: SV-234361r985745_rule
Vulnerability ID: V-234361
Group Title: SRG-APP-000154
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-004046 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
Controls
| Number | Title |
|---|---|
| No controls are assigned to this check |