| Checked | Name | Title |
|---|
| ☐ | SV-76565r1_rule | ColdFusion must limit concurrent sessions to the Administrator Console. |
| ☐ | SV-76839r1_rule | ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service. |
| ☐ | SV-76841r1_rule | ColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session. |
| ☐ | SV-76843r1_rule | ColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| ☐ | SV-76845r1_rule | ColdFusion must automatically terminate a user session after user inactivity. |
| ☐ | SV-76847r1_rule | ColdFusion must set a maximum session time-out value. |
| ☐ | SV-76849r1_rule | ColdFusion must control remote access to the Administrator Console. |
| ☐ | SV-76851r1_rule | ColdFusion must control remote access to Exposed Services. |
| ☐ | SV-76853r1_rule | ColdFusion must control user access to Exposed Services. |
| ☐ | SV-76855r1_rule | ColdFusion must require a username and password for access by each authorized user access. |
| ☐ | SV-76857r1_rule | ColdFusion must require each user to authenticate with a unique account. |
| ☐ | SV-76859r1_rule | When ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated. |
| ☐ | SV-76861r1_rule | ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged. |
| ☐ | SV-76863r1_rule | ColdFusion must log scheduled tasks. |
| ☐ | SV-76865r1_rule | The ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console. |
| ☐ | SV-76867r1_rule | The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly. |
| ☐ | SV-76869r1_rule | The ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly. |
| ☐ | SV-76871r1_rule | The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console. |
| ☐ | SV-76873r1_rule | The ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly. |
| ☐ | SV-76875r1_rule | ColdFusion must send log records to the operating system logging facility. |
| ☐ | SV-76877r1_rule | ColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements. |
| ☐ | SV-76879r1_rule | ColdFusion log records must be off-loaded onto a different system or media from the system being logged. |
| ☐ | SV-76881r1_rule | ColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred weekly for standalone systems. |
| ☐ | SV-76883r1_rule | The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly. |
| ☐ | SV-76885r1_rule | The ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly. |
| ☐ | SV-76887r1_rule | The ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly. |
| ☐ | SV-76889r1_rule | ColdFusion must limit applications from changing shared Java components. |
| ☐ | SV-76891r1_rule | ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries. |
| ☐ | SV-76893r1_rule | ColdFusion must protect software libraries from being changed by OS users. |
| ☐ | SV-76895r1_rule | ColdFusion must only allow approved file extensions. |
| ☐ | SV-76897r1_rule | ColdFusion must disable Flash Remoting support. |
| ☐ | SV-76899r1_rule | ColdFusion must disable the In-Memory File System. |
| ☐ | SV-76901r1_rule | ColdFusion must have Event Gateway Services disabled. |
| ☐ | SV-76903r1_rule | ColdFusion must have Remote Development Services (RDS) disabled. |
| ☐ | SV-76905r1_rule | ColdFusion must have Remote Adobe LiveCycle Data Management access disabled. |
| ☐ | SV-76907r1_rule | ColdFusion must have the WebSocket Service disabled. |
| ☐ | SV-76909r1_rule | ColdFusion must have example data sources removed. |
| ☐ | SV-76911r1_rule | The ColdFusion built-in TomCat Web Server must be disabled. |
| ☐ | SV-76913r1_rule | ColdFusion must have Remote Inspection disabled. |
| ☐ | SV-76915r1_rule | ColdFusion must protect internal cookies from being updated by hosted applications. |
| ☐ | SV-76917r1_rule | ColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-76919r1_rule | ColdFusion must disable auto reloading of configuration files on file changes. |
| ☐ | SV-76921r1_rule | The ColdFusion Root Administrator account must have a unique username. |
| ☐ | SV-76923r1_rule | ColdFusion must execute as a non-privileged user. |
| ☐ | SV-76925r1_rule | ColdFusion accounts with access to the Administrator Console must be approved. |
| ☐ | SV-76927r1_rule | ColdFusion must protect newly created objects. |
| ☐ | SV-76929r1_rule | ColdFusion must have Sandbox Security enabled. |
| ☐ | SV-76931r1_rule | ColdFusion must have Sandboxes defined for application execution. |
| ☐ | SV-76933r1_rule | ColdFusion must have the Default ScriptSrc Directory set to a non-default value. |
| ☐ | SV-76935r1_rule | ColdFusion must contain the most recent update. |
| ☐ | SV-76937r1_rule | ColdFusion must have example collections removed. |
| ☐ | SV-76939r1_rule | ColdFusion must have example gateway instances removed. |
| ☐ | SV-76941r1_rule | ColdFusion must authenticate users individually. |
| ☐ | SV-76943r1_rule | ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. |
| ☐ | SV-76945r1_rule | ColdFusion must transmit only encrypted representations of passwords for Flex Integration. |
| ☐ | SV-76947r1_rule | The ColdFusion Administrator Console must transmit only encrypted representations of passwords. |
| ☐ | SV-76949r1_rule | ColdFusion must transmit only encrypted representations of passwords to the mail server. |
| ☐ | SV-76951r1_rule | Only authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key. |
| ☐ | SV-76953r1_rule | The ColdFusion Administrator Console must be hosted on a management network. |
| ☐ | SV-76955r1_rule | The ColdFusion Administrator Console must be hosted in a management sandbox. |
| ☐ | SV-76957r1_rule | ColdFusion must disable creation of unnamed applications. |
| ☐ | SV-76959r1_rule | ColdFusion must not allow application variables to be added to Servlet Context. |
| ☐ | SV-76961r1_rule | ColdFusion must enable UUID for session identifier generation. |
| ☐ | SV-76963r1_rule | ColdFusion must use J2EE session variables. |
| ☐ | SV-76965r1_rule | ColdFusion must set session cookies as browser session cookies. |
| ☐ | SV-76967r1_rule | ColdFusion must provide a clustering capability. |
| ☐ | SV-76969r2_rule | ColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. |
| ☐ | SV-76971r1_rule | ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster. |
| ☐ | SV-76973r1_rule | ColdFusion must not store user information in the server registry. |
| ☐ | SV-76975r1_rule | ColdFusion must limit the maximum number of Flash Remoting requests. |
| ☐ | SV-76977r1_rule | ColdFusion must limit the SQL commands available. |
| ☐ | SV-76979r1_rule | ColdFusion must set a query timeout for Data Sources. |
| ☐ | SV-76981r2_rule | ColdFusion must limit the maximum number of Web Service requests. |
| ☐ | SV-76983r2_rule | ColdFusion must limit the maximum number of CFC function requests. |
| ☐ | SV-76985r1_rule | ColdFusion must limit the maximum number of simultaneous Report threads. |
| ☐ | SV-76987r1_rule | ColdFusion must limit the maximum number of threads available for CFTHREAD. |
| ☐ | SV-76989r2_rule | ColdFusion must set a timeout for requests. |
| ☐ | SV-76991r1_rule | ColdFusion must set a timeout for logins. |
| ☐ | SV-76993r1_rule | ColdFusion must limit the time-out for requests waiting in the queue. |
| ☐ | SV-76995r1_rule | ColdFusion must have a custom request queue time-out page. |
| ☐ | SV-76997r2_rule | ColdFusion must limit the maximum number of POST requests parameters. |
| ☐ | SV-76999r1_rule | ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. |
| ☐ | SV-77001r1_rule | ColdFusion must encrypt cookies. |
| ☐ | SV-77003r1_rule | ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. |
| ☐ | SV-77005r1_rule | ColdFusion must encrypt patch retrieval. |
| ☐ | SV-77007r1_rule | ColdFusion must protect Session Cookies from being read by scripts. |
| ☐ | SV-77009r1_rule | ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data. |
| ☐ | SV-77011r1_rule | ColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. |
| ☐ | SV-77013r1_rule | The ColdFusion missing template handler must be valid. |
| ☐ | SV-77015r1_rule | The ColdFusion site-wide error handler must be valid. |
| ☐ | SV-77017r1_rule | ColdFusion must have Robust Exception Information disabled. |
| ☐ | SV-77019r1_rule | ColdFusion must have AJAX Debug Log Window disabled. |
| ☐ | SV-77021r1_rule | ColdFusion must have Request Debugging Output disabled. |
| ☐ | SV-77023r1_rule | ColdFusion must have Allow Line Debugging disabled. |
| ☐ | SV-77025r1_rule | The ColdFusion error messages must be restricted to only authorized users. |
| ☐ | SV-77027r1_rule | ColdFusion must have ColdFusion component (CFC) type checking enabled. |
| ☐ | SV-77029r1_rule | ColdFusion must enable Global Script Protection. |
| ☐ | SV-77031r1_rule | ColdFusion must remove software components after updated versions have been installed. |
| ☐ | SV-77033r1_rule | ColdFusion must be set to automatically check for updates. |
| ☐ | SV-77035r1_rule | ColdFusion must have notifications enabled when a server update is available. |
STIGQter: STIG Summary: