Title

Authentication is not required for every session requested. (Cat II impact)

Discussion

Requirement: The IAO will ensure that identification and authentication is required for every session requested in accordance with I&A / password policy. Authentication is a measure used to verify the eligibility of a subject and the ability of that subject to access certain information. Authentication protects against the fraudulent use of a system or the deceptive transmission of information. All users must be authenticated prior to every authorized session allowing system access. This is necessary to ensure that no unauthorized sessions are granted.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text

Ensure that all interfaces to the DSN component require authentication before a session is granted.

Additional Identifiers

Rule ID: SV-8478r1_rule

Vulnerability ID: V-7992

Group Title: Authentication is not required for every session

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.