STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

DISA Rule

SV-222565r508029_rule

Vulnerability Number

V-222565

Group Title

SRG-APP-000185

Rule Version

APSC-DV-001970

Severity

CAT II

CCI(s)

• CCI-000877 - The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

Weight

10

Fix Recommendation

Configure the application to use strong authentication (CAC) when accessing the application for maintenance purposes.

Check Contents

Review the application documentation and interview the application administrator to identify application maintenance functions.

If the application does not provide non-local maintenance and diagnostic capability, this requirement is not applicable.

Identify the maintenance functions/capabilities that are provided by the application, performed by an individual/admin and which can be performed remotely.

Examples include but are not limited to:

The application may provide the ability to clean up a folder of temporary files, add users, remove users, restart processes, backup certain files, manage logs, or execute diagnostic sessions.

Have the application admin authenticate to the application in an administrative role and verify that strong credentials (CAC) are required to access when performing application maintenance.

Have the application admin authenticate to the application host OS and verify that strong credentials (CAC) are required to access when performing application maintenance.

If the application administrator is prevented from accessing the OS by policy requirement or separation of duties requirements, this is not a finding.

If a CAC is not used when remotely accessing the application for maintenance or diagnostic sessions, this is a finding.

Vulnerability Number

V-222565

Documentable

False

Rule Version

APSC-DV-001970

Severity Override Guidance

Review the application documentation and interview the application administrator to identify application maintenance functions.

If the application does not provide non-local maintenance and diagnostic capability, this requirement is not applicable.

Identify the maintenance functions/capabilities that are provided by the application, performed by an individual/admin and which can be performed remotely.

Examples include but are not limited to:

The application may provide the ability to clean up a folder of temporary files, add users, remove users, restart processes, backup certain files, manage logs, or execute diagnostic sessions.

Have the application admin authenticate to the application in an administrative role and verify that strong credentials (CAC) are required to access when performing application maintenance.

Have the application admin authenticate to the application host OS and verify that strong credentials (CAC) are required to access when performing application maintenance.

If the application administrator is prevented from accessing the OS by policy requirement or separation of duties requirements, this is not a finding.

If a CAC is not used when remotely accessing the application for maintenance or diagnostic sessions, this is a finding.

Check Content Reference

M

Target Key

4093

Comments