STIGQter: STIG Summary: F5 BIG-IP Access Policy Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP APM module must be configured to require multifactor authentication for remote access with non-privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access.

DISA Rule

SV-215728r557355_rule

Vulnerability Number

V-215728

Group Title

SRG-NET-000339-ALG-000090

Rule Version

F5BI-AP-000193

Severity

CAT II

CCI(s)

• CCI-001951 - The information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Weight

10

Fix Recommendation

If user authentication intermediary services are provided, configure an access policy in the BIG-IP APM module to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

Check Contents

If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable.

Verify the BIG-IP APM module is configured as follows:

Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles.

Click "Edit..." in the "Access Policy" column for an Access Profile used for remote access for non-privileged accounts.

Verify the Access Profile is configured to require multifactor authentication for remote access with non-privileged accounts.

If the BIG-IP APM module is not configured to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access, this is a finding.

Vulnerability Number

V-215728

Documentable

False

Rule Version

F5BI-AP-000193

Severity Override Guidance

If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable.

Verify the BIG-IP APM module is configured as follows:

Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles.

Click "Edit..." in the "Access Policy" column for an Access Profile used for remote access for non-privileged accounts.

Verify the Access Profile is configured to require multifactor authentication for remote access with non-privileged accounts.

If the BIG-IP APM module is not configured to require multifactor authentication for remote access to non-privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access, this is a finding.

Check Content Reference

M

Target Key

4018

Comments