The Edge SWG must be configured to assign appropriate user roles or access levels to authenticated users.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-279250	SRG-APP-000033-NDM-000212	SYME-ND-000170	SV-279250r1170680_rule	2025-12-18	1

Description
Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000340-NDM-000288, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000516-NDM-000335

Description

Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DOD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000340-NDM-000288, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000516-NDM-000335

ℹ️ Check
In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM). Under the layers, if an "Admin Access" layer is not configured, this is a finding. If an "Admin Access" layer is configured, for HTTPS-console, verify the group is derived from the CAC/LDAPS admin group; otherwise, this is a finding. For the SSH-console, verify the group is derived from the LDAPS admin group; otherwise, this is a finding.

ℹ️ Check

In the Edge SWG Web UI, navigate to the Visual Policy Manager (VPM). Under the layers, if an "Admin Access" layer is not configured, this is a finding. If an "Admin Access" layer is configured, for HTTPS-console, verify the group is derived from the CAC/LDAPS admin group; otherwise, this is a finding. For the SSH-console, verify the group is derived from the LDAPS admin group; otherwise, this is a finding.

✔️ Fix
1. In the Edge SWG Web UI, navigate to the VPM. 2. Click "Add Layer". 3. Scroll down and select "Admin Access", then click "Add". 4. Locate the Admin Access Layer (1) layer that was added and click "Add rule". 5. Inside of the rule, under "Source", left-click and select "Set". 6. Click "Add new Object". 7. Select "Group". 8. Under the group field, type in the full LDAPS Distinguished Name (DN) for the admin group. For example: "CN=roadcom.admins.gsg,OU=BROADCOM,OU=Vendors, DC=dod,DC=local" 9. Under the "Authentication Realm", select the "CAC certificate" realm. 10. Click "Apply", then click "Set". 11. In the same rule, left-click in the "Service" field and click "Set". 12. Select "Service Name: HTTPS-console" and click "Set". 13. In the same rule, left-click in the "Action" field and click "Set". 14. Select the action "Allow Read/Write Access" and click "Set". 15. Repeat these steps to add various read-only or read-write groups for the HTTPS-console. 16. For the SSH-Console click "Add rule". 17. Inside of the rule, under "Source", left-click and select "Set". 18. Click "Add new Object". 19. Select "Group". 20. Under the "Group" field, type in the full LDAPS Distinguished Name (DN) for the admin group. For example: CN=broadcom.admins.gsg,OU=BROADCOM,OU=Vendors, DC=dod,DC=local 21. Under the "Authentication Realm", select the "LDAPS" realm. Do not select the CAC certificate realm. 22. Click "Apply", then click "Set". 23. In the same rule, left-click in the "Service" field and click "Set". 24. Select "Service Name: SSH-console", and then click "Set". 25. In the same rule, left-click in the "Action" field and click "Set". 26. Select the action "Allow Read/Write Access" and click "Set". 27. Repeat these steps to add various read-only or read-write groups for the SSH-console.

✔️ Fix

1. In the Edge SWG Web UI, navigate to the VPM. 2. Click "Add Layer". 3. Scroll down and select "Admin Access", then click "Add". 4. Locate the Admin Access Layer (1) layer that was added and click "Add rule". 5. Inside of the rule, under "Source", left-click and select "Set". 6. Click "Add new Object". 7. Select "Group". 8. Under the group field, type in the full LDAPS Distinguished Name (DN) for the admin group. For example: "CN=roadcom.admins.gsg,OU=BROADCOM,OU=Vendors, DC=dod,DC=local" 9. Under the "Authentication Realm", select the "CAC certificate" realm. 10. Click "Apply", then click "Set". 11. In the same rule, left-click in the "Service" field and click "Set". 12. Select "Service Name: HTTPS-console" and click "Set". 13. In the same rule, left-click in the "Action" field and click "Set". 14. Select the action "Allow Read/Write Access" and click "Set". 15. Repeat these steps to add various read-only or read-write groups for the HTTPS-console. 16. For the SSH-Console click "Add rule". 17. Inside of the rule, under "Source", left-click and select "Set". 18. Click "Add new Object". 19. Select "Group". 20. Under the "Group" field, type in the full LDAPS Distinguished Name (DN) for the admin group. For example: CN=broadcom.admins.gsg,OU=BROADCOM,OU=Vendors, DC=dod,DC=local 21. Under the "Authentication Realm", select the "LDAPS" realm. Do not select the CAC certificate realm. 22. Click "Apply", then click "Set". 23. In the same rule, left-click in the "Service" field and click "Set". 24. Select "Service Name: SSH-console", and then click "Set". 25. In the same rule, left-click in the "Action" field and click "Set". 26. Select the action "Allow Read/Write Access" and click "Set". 27. Repeat these steps to add various read-only or read-write groups for the SSH-console.