DocAve must use multifactor authentication for network access to privileged accounts.
An XCCDF Rule
Description
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). Multifactor authentication decreases the attack surface by virtue of the fact that attackers must obtain two factors, a physical token or a biometric and a PIN, in order to authenticate. It is not enough to simply steal a user's password to obtain access. A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).
- ID
- SV-253515r836520_rule
- Version
- DCAV-00-000056
- Severity
- High
- References
- Updated
Remediation Templates
A Manual Procedure
Configure DocAve to use Smart Card Authentication. Settings must be configured in IIS and DocAve. The IIS configuration under DCAV-00-000057 should be performed first.
Log on to DocAve with admin account.
- On the Control Panel page, in the Authentication Manager section, click "Authentication Manager".
- Click "Enable" in the Action column of the Client Certificate Authentication row to enable client certificate authentication.
- Click "Enable" in the Action column of the Windows Authentication row to enable Windows Authentication.