Skip to content
Log In

Application Server Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000148

    Group
    Show

  • SRG-APP-000149

    Group
    Show

  • The application server must use multifactor authentication for network access to privileged accounts.

    Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker s...
    Rule High Severity
    Show

  • SRG-APP-000151

    Group
    Show

  • SRG-APP-000153

    Group
    Show

  • The application server must authenticate users individually prior to using a group authenticator.

    To ensure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and au...
    Rule Medium Severity
    Show

  • SRG-APP-000156

    Group
    Show

  • SRG-APP-000163

    Group
    Show

  • The application server must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

    Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application. Own...
    Rule Medium Severity
    Show

  • SRG-APP-000171

    Group
    Show

  • SRG-APP-000172

    Group
    Show

  • SRG-APP-000172

    Group
    Show

  • The application server must utilize encryption when using LDAP for authentication.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directorie...
    Rule Medium Severity
    Show

  • SRG-APP-000175

    Group
    Show

  • SRG-APP-000176

    Group
    Show

  • SRG-APP-000177

    Group
    Show

  • The application server must map the authenticated identity to the individual user or group account for PKI-based authentication.

    The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can ...
    Rule Medium Severity
    Show

  • SRG-APP-000178

    Group
    Show

  • SRG-APP-000179

    Group
    Show

  • The application server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.

    Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and ...
    Rule High Severity
    Show

  • SRG-APP-000181

    Group
    Show

  • SRG-APP-000206

    Group
    Show

  • The application server must identify prohibited mobile code.

    Mobile code is defined as software modules obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without explicit installation or execution ...
    Rule Medium Severity
    Show

  • SRG-APP-000211

    Group
    Show

  • SRG-APP-000219

    Group
    Show

  • SRG-APP-000220

    Group
    Show

  • The application server must invalidate session identifiers upon user logout or other session termination.

    If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networ...
    Rule Medium Severity
    Show

  • SRG-APP-000223

    Group
    Show

  • The application server must generate a unique session identifier for each session.

    Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifier...
    Rule Medium Severity
    Show

  • SRG-APP-000223

    Group
    Show

  • The application server must recognize only system-generated session identifiers.

    This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a com...
    Rule Medium Severity
    Show

  • SRG-APP-000224

    Group
    Show

  • SRG-APP-000225

    Group
    Show

  • The application server must be configured to perform complete application deployments.

    Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an applic...
    Rule Medium Severity
    Show

  • SRG-APP-000225

    Group
    Show

  • The application server must provide a clustering capability.

    This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known s...
    Rule Medium Severity
    Show

  • SRG-APP-000225

    Group
    Show

  • The application server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

    Fail-secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended securit...
    Rule Medium Severity
    Show

  • SRG-APP-000231

    Group
    Show

  • SRG-APP-000231

    Group
    Show

  • The application server must employ cryptographic mechanisms to ensure confidentiality and integrity of all information at rest when stored off-line.

    This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to ...
    Rule Medium Severity
    Show

  • SRG-APP-000251

    Group
    Show

  • SRG-APP-000266

    Group
    Show

  • SRG-APP-000266

    Group
    Show

  • SRG-APP-000267

    Group
    Show

  • The application server must restrict error messages only to authorized users.

    If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be caref...
    Rule Medium Severity
    Show

  • SRG-APP-000290

    Group
    Show

  • The application server must use cryptographic mechanisms to protect the integrity of log tools.

    Protecting the integrity of the tools used for logging purposes is a critical step in ensuring the integrity of log data. Log data includes all information (e.g., log records, log settings, and log...
    Rule Medium Severity
    Show

  • SRG-APP-000295

    Group
    Show

  • SRG-APP-000296

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules