ColdFusion must not have local users.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-279033 | SRG-APP-000080-AS-000045 | APAS-CF-000040 | SV-279033r1171269_rule | 2025-12-19 | 1 |
| Description |
|---|
| To maintain accountability and enforce access control policies, ColdFusion must require each user to authenticate using a unique account. Shared or generic accounts prevent the ability to associate user actions with specific individuals, which undermines auditing, accountability, and incident response capabilities. Unique user accounts ensure that each action taken within the ColdFusion environment can be attributed to a specific, identifiable user. This is essential for detecting misuse, investigating anomalies, and ensuring compliance with security policies. |
| ℹ️ Check |
|---|
| Verify there are no local users. 1. From the Admin Console Landing Screen, navigate to Security >> User Manager. 2. For each user, validate "External User" is checked and "User Type" is selected. If "External User" is not checked and "User Type" is not selected, this is a finding. |
| ✔️ Fix |
|---|
| Configure External User Accounts: 1. From the Admin Console Landing Screen, navigate to Security >> User Manager. 2. For any user accounts where "External User" is not checked and "User Type" is not selected: a. Edit the user account (or remove the account if it should not exist). b. Check the box for "External User". c. Select the appropriate "User Type". d. Click "Update User" to save the changes. e. Verify that no local user accounts remain and that all users are correctly configured as external. |