Skip to content
Log In

Unified Endpoint Management Server Security Requirements Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • The UEM server must protect audit information from any type of unauthorized read access.

    If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In ad...
    Rule Medium Severity
    Show

  • SRG-APP-000119

    Group
    Show

  • The UEM server must protect audit information from unauthorized modification.

    If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audi...
    Rule Medium Severity
    Show

  • SRG-APP-000120

    Group
    Show

  • SRG-APP-000125

    Group
    Show

  • The UEM server must back up audit records at least every seven days onto a log management server.

    Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an orga...
    Rule Medium Severity
    Show

  • SRG-APP-000131

    Group
    Show

  • SRG-APP-000133

    Group
    Show

  • The UEM server must limit privileges to change the software resident within software libraries.

    If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a ...
    Rule Medium Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • SRG-APP-000142

    Group
    Show

  • The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).

    All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure a risk assessment has been completed before a new port, protocol,...
    Rule Medium Severity
    Show

  • SRG-APP-000142

    Group
    Show

  • SRG-APP-000148

    Group
    Show

  • The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

    To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational use...
    Rule Medium Severity
    Show

  • SRG-APP-000149

    Group
    Show

  • The UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.

    A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromise...
    Rule Medium Severity
    Show

  • SRG-APP-000151

    Group
    Show

  • All UEM server local accounts created during application installation and configuration must be removed. Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.

    A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromise...
    Rule Medium Severity
    Show

  • SRG-APP-000153

    Group
    Show

  • SRG-APP-000154

    Group
    Show

  • The UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.

    Using an authentication device, such as a common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise...
    Rule Medium Severity
    Show

  • SRG-APP-000156

    Group
    Show

  • SRG-APP-000157

    Group
    Show

  • The UEM server must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.

    A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be ...
    Rule Medium Severity
    Show

  • SRG-APP-000164

    Group
    Show

  • The UEM server must enforce a minimum 15-character password length.

    The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...
    Rule Medium Severity
    Show

  • SRG-APP-000165

    Group
    Show

  • The UEM server must prohibit password reuse for a minimum of five generations.

    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need t...
    Rule Medium Severity
    Show

  • SRG-APP-000166

    Group
    Show

  • The UEM server must enforce password complexity by requiring that at least one uppercase character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-APP-000167

    Group
    Show

  • The UEM server must enforce password complexity by requiring that at least one lowercase character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-APP-000168

    Group
    Show

  • SRG-APP-000169

    Group
    Show

  • The UEM server must enforce password complexity by requiring that at least one special character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-APP-000170

    Group
    Show

  • UEM server must require the change of at least 50 percent of the previous password's characters.

    If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at ...
    Rule Medium Severity
    Show

  • SRG-APP-000171

    Group
    Show

  • For UEM server using password authentication, the application must store only cryptographic representations of passwords.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Use of ...
    Rule Medium Severity
    Show

  • SRG-APP-000172

    Group
    Show

  • For UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...
    Rule High Severity
    Show

  • SRG-APP-000174

    Group
    Show

  • SRG-APP-000175

    Group
    Show

  • When using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

    Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the information...
    Rule Medium Severity
    Show

  • SRG-APP-000175

    Group
    Show

  • When the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.

    When an UEM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead t...
    Rule Medium Severity
    Show

  • SRG-APP-000176

    Group
    Show

  • The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

    If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key use...
    Rule Medium Severity
    Show

  • SRG-APP-000177

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules