ColdFusion must require enforced authentication.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279032	SRG-APP-000080-AS-000045	APAS-CF-000035	SV-279032r1171325_rule	2025-12-19	1

Description
ColdFusion must require each authorized user to authenticate and not allow multiple users. Without enforced authentication, there is no reliable method to verify the identity of users accessing the ColdFusion Administrator Console or other secured components of the application server. This lack of accountability can allow unauthorized users to gain elevated privileges, make unauthorized changes, or conceal malicious activity. Requiring a username and password for each user aligns with the principles of least privilege and ensures that access to sensitive configuration and management functions is appropriately controlled.

Description

ColdFusion must require each authorized user to authenticate and not allow multiple users. Without enforced authentication, there is no reliable method to verify the identity of users accessing the ColdFusion Administrator Console or other secured components of the application server. This lack of accountability can allow unauthorized users to gain elevated privileges, make unauthorized changes, or conceal malicious activity. Requiring a username and password for each user aligns with the principles of least privilege and ensures that access to sensitive configuration and management functions is appropriately controlled.

ℹ️ Check
1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. If the "Separate user name and password authentication (allows multiple users)" is not selected, this is a finding.

✔️ Fix
1. From the Admin Console Landing Screen, navigate to Security >> Administrator. 2. Select "Separate user name and password authentication (allows multiple users)". 3. Select "Submit Changes".