CCI-001942

The CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

The CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

CounterACT, when providing user authentication intermediary services, must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.

IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

The DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.

Nutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.

Symantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

The Ubuntu operating system must enforce SSHv2 for network access to all accounts.

The Enterprise Voice, Video, and Messaging Endpoint must be configured to implement replay-resistant authentication mechanisms for network access.

The Enterprise Voice, Video, and Messaging Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration.

AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

MKE must be configured to integrate with an Enterprise Identity Provider.

The built-in DNS client must be disabled.

Kerberos user logon restrictions must be enforced.

The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.

The Kerberos user ticket lifetime must be limited to 10 hours or less.

The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.

The computer clock synchronization tolerance must be limited to 5 minutes or less.

SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.

The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

AOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).

The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.

Windows Server 2019 Kerberos user logon restrictions must be enforced.

Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.

Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.

Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.

Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.

Windows Server 2022 Kerberos user logon restrictions must be enforced.

Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.

Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.

Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.

Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

RHEL 9 must use the common access card (CAC) smart card driver.

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

The ESXi host must use Active Directory for local user authentication.

The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.

The Photon operating system must use an OpenSSH server version that does not support protocol 1.

The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.