Skip to content

The ICS must be configured to use multifactor authentication (e.g., DOD PKI) for network access to nonprivileged accounts.

An XCCDF Rule

Description

<VulnDiscussion>To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authentication uses two or more factors to achieve authentication. Use of password for user remote access for nonprivileged account is not authorized. Factors include: (i) Something you know (e.g., password/PIN); (ii) Something you have (e.g., cryptographic identification device, token); or (iii) Something you are (e.g., biometric). A nonprivileged account is any information system account with authorizations of a nonprivileged user. Network access is any access to a network element by a user (or a process acting on behalf of a user) communicating through a network. The DOD CAC with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-NET-000140-VPN-000500, SRG-NET-000342-VPN-001360</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-258589r930455_rule
Severity
High
References
Updated



Remediation - Manual Procedure

Configure the user realm to use DOD PKI and the site's authentication servers. A sign-in policy is then applied in accordance with the site's access configuration. The focus for this requirement is on the path so the installation of the device certificates is not included.

In the ICS Web UI, navigate to Authentication >> Auth Servers.
1. Click "New Servers". Under "server type", select Certificate Server >> New Server.
2. Type a Name. Under User Name template type this exactly: <certAttr.altname.UPN>
3. Click "Save Changes".