STIGQter STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 26 Jan 2018

CheckedNameTitle
SV-76565r1_ruleColdFusion must limit concurrent sessions to the Administrator Console.
SV-76839r1_ruleColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service.
SV-76841r1_ruleColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session.
SV-76843r1_ruleColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SV-76845r1_ruleColdFusion must automatically terminate a user session after user inactivity.
SV-76847r1_ruleColdFusion must set a maximum session time-out value.
SV-76849r1_ruleColdFusion must control remote access to the Administrator Console.
SV-76851r1_ruleColdFusion must control remote access to Exposed Services.
SV-76853r1_ruleColdFusion must control user access to Exposed Services.
SV-76855r1_ruleColdFusion must require a username and password for access by each authorized user access.
SV-76857r1_ruleColdFusion must require each user to authenticate with a unique account.
SV-76859r1_ruleWhen ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated.
SV-76861r1_ruleColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.
SV-76863r1_ruleColdFusion must log scheduled tasks.
SV-76865r1_ruleThe ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console.
SV-76867r1_ruleThe ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly.
SV-76869r1_ruleThe ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly.
SV-76871r1_ruleThe ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console.
SV-76873r1_ruleThe ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly.
SV-76875r1_ruleColdFusion must send log records to the operating system logging facility.
SV-76877r1_ruleColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements.
SV-76879r1_ruleColdFusion log records must be off-loaded onto a different system or media from the system being logged.
SV-76881r1_ruleColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred weekly for standalone systems.
SV-76883r1_ruleThe ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.
SV-76885r1_ruleThe ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly.
SV-76887r1_ruleThe ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly.
SV-76889r1_ruleColdFusion must limit applications from changing shared Java components.
SV-76891r1_ruleColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries.
SV-76893r1_ruleColdFusion must protect software libraries from being changed by OS users.
SV-76895r1_ruleColdFusion must only allow approved file extensions.
SV-76897r1_ruleColdFusion must disable Flash Remoting support.
SV-76899r1_ruleColdFusion must disable the In-Memory File System.
SV-76901r1_ruleColdFusion must have Event Gateway Services disabled.
SV-76903r1_ruleColdFusion must have Remote Development Services (RDS) disabled.
SV-76905r1_ruleColdFusion must have Remote Adobe LiveCycle Data Management access disabled.
SV-76907r1_ruleColdFusion must have the WebSocket Service disabled.
SV-76909r1_ruleColdFusion must have example data sources removed.
SV-76911r1_ruleThe ColdFusion built-in TomCat Web Server must be disabled.
SV-76913r1_ruleColdFusion must have Remote Inspection disabled.
SV-76915r1_ruleColdFusion must protect internal cookies from being updated by hosted applications.
SV-76917r1_ruleColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
SV-76919r1_ruleColdFusion must disable auto reloading of configuration files on file changes.
SV-76921r1_ruleThe ColdFusion Root Administrator account must have a unique username.
SV-76923r1_ruleColdFusion must execute as a non-privileged user.
SV-76925r1_ruleColdFusion accounts with access to the Administrator Console must be approved.
SV-76927r1_ruleColdFusion must protect newly created objects.
SV-76929r1_ruleColdFusion must have Sandbox Security enabled.
SV-76931r1_ruleColdFusion must have Sandboxes defined for application execution.
SV-76933r1_ruleColdFusion must have the Default ScriptSrc Directory set to a non-default value.
SV-76935r1_ruleColdFusion must contain the most recent update.
SV-76937r1_ruleColdFusion must have example collections removed.
SV-76939r1_ruleColdFusion must have example gateway instances removed.
SV-76941r1_ruleColdFusion must authenticate users individually.
SV-76943r1_ruleColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
SV-76945r1_ruleColdFusion must transmit only encrypted representations of passwords for Flex Integration.
SV-76947r1_ruleThe ColdFusion Administrator Console must transmit only encrypted representations of passwords.
SV-76949r1_ruleColdFusion must transmit only encrypted representations of passwords to the mail server.
SV-76951r1_ruleOnly authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key.
SV-76953r1_ruleThe ColdFusion Administrator Console must be hosted on a management network.
SV-76955r1_ruleThe ColdFusion Administrator Console must be hosted in a management sandbox.
SV-76957r1_ruleColdFusion must disable creation of unnamed applications.
SV-76959r1_ruleColdFusion must not allow application variables to be added to Servlet Context.
SV-76961r1_ruleColdFusion must enable UUID for session identifier generation.
SV-76963r1_ruleColdFusion must use J2EE session variables.
SV-76965r1_ruleColdFusion must set session cookies as browser session cookies.
SV-76967r1_ruleColdFusion must provide a clustering capability.
SV-76969r2_ruleColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
SV-76971r1_ruleColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster.
SV-76973r1_ruleColdFusion must not store user information in the server registry.
SV-76975r1_ruleColdFusion must limit the maximum number of Flash Remoting requests.
SV-76977r1_ruleColdFusion must limit the SQL commands available.
SV-76979r1_ruleColdFusion must set a query timeout for Data Sources.
SV-76981r2_ruleColdFusion must limit the maximum number of Web Service requests.
SV-76983r2_ruleColdFusion must limit the maximum number of CFC function requests.
SV-76985r1_ruleColdFusion must limit the maximum number of simultaneous Report threads.
SV-76987r1_ruleColdFusion must limit the maximum number of threads available for CFTHREAD.
SV-76989r2_ruleColdFusion must set a timeout for requests.
SV-76991r1_ruleColdFusion must set a timeout for logins.
SV-76993r1_ruleColdFusion must limit the time-out for requests waiting in the queue.
SV-76995r1_ruleColdFusion must have a custom request queue time-out page.
SV-76997r2_ruleColdFusion must limit the maximum number of POST requests parameters.
SV-76999r1_ruleColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
SV-77001r1_ruleColdFusion must encrypt cookies.
SV-77003r1_ruleColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
SV-77005r1_ruleColdFusion must encrypt patch retrieval.
SV-77007r1_ruleColdFusion must protect Session Cookies from being read by scripts.
SV-77009r1_ruleColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data.
SV-77011r1_ruleColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
SV-77013r1_ruleThe ColdFusion missing template handler must be valid.
SV-77015r1_ruleThe ColdFusion site-wide error handler must be valid.
SV-77017r1_ruleColdFusion must have Robust Exception Information disabled.
SV-77019r1_ruleColdFusion must have AJAX Debug Log Window disabled.
SV-77021r1_ruleColdFusion must have Request Debugging Output disabled.
SV-77023r1_ruleColdFusion must have Allow Line Debugging disabled.
SV-77025r1_ruleThe ColdFusion error messages must be restricted to only authorized users.
SV-77027r1_ruleColdFusion must have ColdFusion component (CFC) type checking enabled.
SV-77029r1_ruleColdFusion must enable Global Script Protection.
SV-77031r1_ruleColdFusion must remove software components after updated versions have been installed.
SV-77033r1_ruleColdFusion must be set to automatically check for updates.
SV-77035r1_ruleColdFusion must have notifications enabled when a server update is available.