<?xml version="1.0" encoding="UTF-8"?>
<CHECKLIST>
  <ASSET>
    <ROLE>None</ROLE>
    <ASSET_TYPE>Computing</ASSET_TYPE>
    <HOST_NAME></HOST_NAME>
    <HOST_IP></HOST_IP>
  </ASSET>
  <STIGS>
    <iSTIG>
      <STIG_INFO>
        <SI_DATA>
          <SID_NAME>title</SID_NAME>
          <SID_DATA>Ivanti Policy Secure NDM Security Technical Implementation Guide</SID_DATA>
        </SI_DATA>
        <SI_DATA>
          <SID_NAME>version</SID_NAME>
          <SID_DATA>1</SID_DATA>
        </SI_DATA>
        <SI_DATA>
          <SID_NAME>releaseinfo</SID_NAME>
          <SID_DATA>Release: 1</SID_DATA>
        </SI_DATA>
      </STIG_INFO>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284518</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284518r1244923_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. Under the section &quot;Account Lockout&quot;, verify &quot;Enable Account Lockout for users&quot; is checked.
3. Verify &quot;Maximum wrong password attempts&quot; is set to &quot;3&quot;.
4. Verify &quot;Account Lockout Period in Minutes&quot; is set to &quot;15&quot;.

If account lockout is not configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. Under the section &quot;Account Lockout&quot;, check the box for &quot;Enable Account Lockout for users&quot;.
3. Under the section &quot;Account Lockout&quot; set &quot;Maximum wrong password attempts&quot; to &quot;3&quot;.
4. Under the section &quot;Account Lockout&quot; set &quot;Account Lockout Period in Minutes&quot; to &quot;15&quot;.
5. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284519</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284519r1244925_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to display the Standard Mandatory DoW Notice and Consent Banner before granting access to the device.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Display of the DoW-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via logon interfaces with human users.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Determine if the DoW-approved banner is presented before accessing Policy Secure.

1. In the Web UI, navigate to Authentication &gt;&gt; Signing In &gt;&gt; Sign-In Policies.
2. Click &quot;*/admin/&quot; (or the custom URL used for common access card [CAC]/public key access [PKI] token admin access).

Under &quot;Configure Sign In Notifications&quot; if the &quot;Pre-Auth Sign-in Notification&quot; is not checked, or if the previously mentioned notification text is not assigned to this policy, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Signing In &gt;&gt; Sign-In Notifications.
2. Click &quot;New Notification&quot;.
3. For name, type: &quot;DOD Notice and Consent&quot;.
4. In the text box, enter the following:
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
5. Click &quot;Save Changes&quot;.
6. Go to Authentication &gt;&gt; Signing In &gt;&gt; Sign-In Policies.
7. Click the &quot;*/admin/&quot; (or the custom URL used for CAC/PKI token admin access).
8. Under &quot;Configure Sign In Notifications&quot;, check the box for &quot;Pre-Auth Sign-in Notification&quot; and in the drop-down menu, assign the notification titled &quot;DOD Notice and Consent&quot;.
9. Repeat steps 7 and 8 for each role or URL.

Note: If the Use the Sign-in Notification associated to the assigned role is enabled, complete the implementation by selecting the sign-in notification on the Users &gt;&gt; User Roles &gt;&gt; Role Name &gt;&gt; General &gt;&gt; UI Options page or Administrators &gt;&gt; Admin Roles &gt;&gt; Role Name &gt;&gt; General &gt;&gt; UI Options page.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284520</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284520r1244926_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to enable &quot;Detailed Log Note&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>It is essential for security personnel to know what is being done, what was attempted, where it was done, when it was done, and by whom it was done to compile an accurate risk assessment. Associating event types with detected events in the application and audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured network device. Without this capability, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.

Satisfies: SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000101-NDM-000231</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; User Access &gt;&gt; Settings.

Under the &quot;Select Events to Log&quot; section, if &quot;Detailed Log Note&quot; is not checked, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; User Access &gt;&gt; Settings.
2. Under the &quot;Select Events to Log&quot; section, check the box for &quot;Detailed Log Note&quot;.
3. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284521</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284521r1244927_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to use internal system clocks to generate time stamps for audit records.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In order to determine what is happening within the network infrastructure or to resolve and trace an attack, the network device must support the organization&apos;s capability to correlate the audit log data from multiple network devices to acquire a clear understanding of events. In order to correlate auditable events, time stamps are needed on all of the log records.

If the internal clock is not used, the system may not be able to provide time stamps for log messages. Additionally, externally generated time stamps may not be accurate. Applications can use the capability of an operating system or purpose-built module for this purpose. Note: The internal clock is required to be synchronized with authoritative time sources by other requirements.

Satisfies: SRG-APP-000116-NDM-000234, SRG-APP-000374-NDM-000299</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Status &gt;&gt; Dashboard.
2. Click the &quot;Overview&quot; tab.
3. Under &quot;Appliance Details&quot; and &quot;System Date and Time&quot;, select &quot;Edit&quot;.

If the &quot;Time Zone&quot; is not set to &quot;(GMT) Coordinated Universal Time&quot; this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Status &gt;&gt; Dashboard.
2. Click the &quot;Overview&quot; tab.
3. Under &quot;Appliance Details&quot; and &quot;System Date and Time&quot;, select &quot;Edit&quot;.
4. Select &quot;(GMT) Coordinated Universal Time&quot;.
5. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284522</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284522r1244928_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to map group definitions to role assignments for administrators based on access authorizations.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable nonauthorized users to make changes to software libraries, audit tools, and system software, these changes could be implemented without undergoing testing, validation, and approval.

Satisfies: SRG-APP-000133-NDM-000244, SRG-APP-000033-NDM-000212, SRG-APP-000038-NDM-000213, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000121-NDM-000238, SRG-APP-000122-NDM-000239, SRG-APP-000123-NDM-000240, SRG-APP-000329-NDM-000287, SRG-APP-000231-NDM-000271</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Administrators &gt;&gt; Admin Realms &gt;&gt; Admin Realms.
2. Click the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins.
3. View the &quot;Role Mapping&quot; tab. 

If there are not two group definitions to Role Assignments for Admin and Read-Only, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins.

1. In the Ivanti Policy Secure Web UI, navigate to Administrators &gt;&gt; Admin Realms &gt;&gt; Admin Realms.
2. Select the admin realm that is currently being used on the Policy Secure for CAC/PKI token administrator logins.
3. Click &quot;Role Mappings&quot;.
4. Click &quot;New Rule&quot;.
5. Click &quot;Rule Based&quot; on Group Membership&quot;.
6. Click &quot;Update&quot;.
7. Type a name for the admin group.
8. Under available groups, select the LDAP group for admins (e.g., &quot;ivanti.admins.gsg&quot;). If no groups currently exist in the window, click &quot;Groups&quot; and add the group from the LDAP directory window that pops up.
9. Under &quot;Available Roles&quot;, select &quot;.Administrators&quot;.
10. Click &quot;Save Changes&quot;.
11. Click &quot;New Rule&quot;.
12. Click &quot;Rule Based&quot; on &quot;Group Membership&quot;.
13. Click &quot;Update&quot;.
14. Type a name for the read-only group.
15. Under available groups, select the LDAP group for nonadmins (e.g., &quot;ivanti.ROadmin.gsg&quot;). If no groups currently exist in the window, click &quot;Groups&quot; and add the group from the LDAP directory window that pops up.
16. Under &quot;Available Roles&quot;, select &quot;.Read-Only Administrators&quot;.
17. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284523</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284523r1244929_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured with only one local account to be used as the account of last resort in the event the authentication server is unavailable.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device&apos;s local database for use when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is referred to as the account of last resort since it is intended to be used as a last resort and when immediate administrative access is absolutely necessary.

The account of last resort logon credentials must be stored in a sealed envelope and kept in a safe. The safe must be periodically audited to verify the envelope remains sealed. The signature of the auditor and the date of the audit should be added to the envelope as a record. Administrators should secure the credentials and disable the root account (if possible) when not needed for system administration functions.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. Select the &quot;Users&quot; tab and review the user list.

If more than one local user exists, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. Click the &quot;Users&quot; tab.
3. Create the emergency local user or click the default admin user.
4. Click &quot;Enabled&quot;.
5. Click &quot;Allow Console Access&quot;.
6. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284524</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284524r1244930_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must enforce a minimum 15-character password length.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.

The shorter the password, the lower the number of possible combinations that must be tested before the password is compromised. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.

Satisfies: SRG-APP-000164-NDM-000252, SRG-APP-000860-NDM-000250, SRG-APP-000845-NDM-000220</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.

If the minimum length is not 15 characters, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. For minimum length, enter &quot;15&quot;.
3. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284525</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284525r1244994_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must enforce password complexity by requiring least one uppercase and at least one lowercase character be used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Using complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.

Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.

Satisfies: SRG-APP-000166-NDM-000254, SRG-APP-000167-NDM-000255</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.

If &quot;Password must have mix of UPPERCASE and lowercase letters&quot; is not checked or &quot;Password must have at least __ letters&quot; is not set to &quot;1&quot; or more, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. Select &quot;Password must have at least __ letters&quot;.
3. In the box enter &quot;1&quot; or more.
4. Check the box for &quot;Password must have mix of UPPERCASE and lowercase letters&quot;.
5. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284526</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284526r1244932_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must enforce password complexity by requiring that at least one numeric character be used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Using a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.

If the value for the setting for &quot;Password must have at least __ digits&quot; is not &quot;1&quot; or more, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. Check the box for &quot;Password must have at least __ digits&quot;.
3. In the box, enter &quot;1&quot;.
4. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284527</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284527r1244933_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must enforce password complexity by requiring that at least one special character be used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using PKI is not available, and for the account of last resort and root account.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.

If the value for &quot;Password must have at least __ Special Characters&quot; is not set to &quot;1&quot; or more, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. Check the box for &quot;Password must have at least __ Special Characters&quot;.
2. In the box, enter &quot;1&quot; or more.
3. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284528</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284528r1244934_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must require that when a password is changed, the characters are changed in at least eight of the positions within the password.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.

If the setting for &quot;new password must differ from the previous password position&quot; and the value of &quot;new password must differ from the previous password position&quot; is not set to &quot;8&quot;, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Administrators.
2. Check the box for &quot;new password must differ from the previous password position&quot;.
3. In the box, enter &quot;8&quot; or more.
4. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284529</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284529r1244935_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to transmit only encrypted representations of passwords.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Multifactor authentication (MFA) is required for all administrative and user accounts on network devices, except for an account of last resort and (where applicable) a root account. Passwords should only be used when MFA using public key infrastructure (PKI) is not available, and for the account of last resort and root account.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Inbound SSL Options.
2. Under &quot;Allowed SSL and TLS Version&quot;, verify &quot;Accept only TLS 1.2 (maximize security)&quot; is selected.
3. Navigate to System &gt;&gt; Configuration &gt;&gt; Outbound SSL Options.
4. View the setting for &quot;Allowed SSL and TLS Version&quot;.

If &quot;Accept only TLS 1.2 (maximize security)&quot; is not checked, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Inbound SSL Options.
2. Under &quot;Allowed SSL and TLS Version&quot;, check the box for &quot;Accept only TLS 1.2 (maximize security)&quot;.
3. Click &quot;Save Changes&quot;.
4. Click &quot;Proceed&quot; to accept the cipher change.
5. Navigate to System &gt;&gt; Configuration &gt;&gt; Outbound SSL Options.
6. Under &quot;Allowed SSL and TLS Version&quot;, check the box for &quot;Accept only TLS 1.2 (maximize security)&quot;.
7. Click &quot;Save Changes&quot;.
8. Click &quot;Proceed&quot; to accept the cipher change.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284530</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284530r1244936_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 

Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Administrators &gt;&gt; Admins Role &gt;&gt; Delegated Admin Roles.
2. Click the configured admin role being used for CAC/PKI token admin logins, by default it is &quot;.Administrators&quot;.
3. Click the &quot;Session Options&quot; tab.
4. View the &quot;Session Lifetime&quot; section.

If the idle timeout is not set to &quot;10&quot;, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Administrators &gt;&gt; Admins Role &gt;&gt; Delegated Admin Roles.
2. Click the configured admin role being used for CAC/PKI token admin logins, by default it is &quot;.Administrators&quot;.
3. Click the &quot;Session Options&quot; tab.
4. In the &quot;Session Lifetime&quot; section, set the Idle Timeout to &quot;10&quot;.
5. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284531</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284531r1244937_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. 

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations.

Satisfies: SRG-APP-000340-NDM-000288, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000408-NDM-000314, SRG-APP-000491-NDM-000316, SRG-APP-000516-NDM-000341, SRG-APP-000177-NDM-000263, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180, SRG-APP-000875-NDM-000280</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify realms and roles are configured as needed to meet mission requirements.

1. In the Web UI, navigate to Administrators &gt;&gt; Admin Realms &gt;&gt; Admin Realms.
2. Click the admin realm that is currently being used on the Policy Secure for administrator logins. By default, it is &quot;Admin Users&quot;.
3. In the &quot;General&quot; tab, under Servers &gt;&gt; Directory/Attribute, verify &quot;none&quot; are listed.
4. In the &quot;Role Mapping&quot; tab, under &quot;when users meet these conditions&quot; set the following:
- &quot;Group&quot; must be used, and the local site&apos;s administrator active directory group must be selected and assigned to the &quot;.Administrators&quot; role. 
Note: This role could be different if using something other than the default &quot;.Administrators&quot; role.

If a realm or role mapping is not configured to prevent nonprivileged users from executing privileged functions, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure realms and roles as needed to meet mission requirements. The &quot;.Administrators&quot; role is a default role name, but other administrator role names can be used. Groups must be used; separate usernames or an allow-all username of * is not acceptable.

1. In the Web UI, navigate to Administrators &gt;&gt; Admin Realms &gt;&gt; Admin Realms.
2. Click the admin realm that is used on the Policy Secure for administrator logins. By default, it is &quot;Admin Users&quot;.
3. In the &quot;General&quot; tab, under Servers &gt;&gt; Directory/Attribute, select the previously configured LDAP Directory. If none are configured, follow vendor supplied instructions for creating an LDAP Authentication Server.
4. In the &quot;Role Mapping&quot; tab, under &quot;when users meet these conditions&quot; select &quot;New rule&quot;.
5. Under &quot;Rule based on&quot;, select &quot;Group Membership&quot;.
6. Name the rule.
7. Select &quot;is&quot;.
8. Provide the exact group name in the text box. This name must match the &quot;CN=&quot; attribute name. For example, if the group is &quot;CN=ivanti.adm.group&quot; then add the &quot;ivanti.adm.group&quot; to the text box.
9. Under &quot;then assign these roles&quot;, select the admin role used by Policy Secure for admin logins. By default, this is the &quot;.Administrators&quot;.
10. Click &quot;Save Changes&quot;.
11. Under &quot;Role Mapping&quot; if there are more roles needed for more specific role-based access to the Policy Secure, configure more of them here.
12. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284532</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284532r1244938_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to authenticate SNMPv3 messages using a Ivanti Policy Secure-validated keyed-Hash Message Authentication Code (HMAC).</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.

A local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, internet). A remote connection is any connection with a device communicating through an external network (e.g., the internet).

Because of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>If SNMP is not used, this is not applicable.

1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; SNMP.
2. Under &quot;SNMP version data&quot;, verify v2c is not selected.

If any version other than v3 is selected, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; SNMP.
2. Under &quot;SNMP version data&quot;, select &quot;v3&quot;.
3. Under &quot;Agent Properties&quot;, select SNMP Queries.
4. Define the System Name.
5. Define the System Location.
6. Define the System Contact.
7. Under &quot;SNMPv3 Configuration&quot; and &quot;User 1&quot;, type the username.
8. Select the &quot;Security Level&quot; of Auth, Priv.
9. Select &quot;SHA&quot; as the Auth Protocol.
10. Type the Auth password.
11. Select &quot;CFB-AES-128&quot; as the Priv Protocol.
12. Type the Priv password.
13. Under &quot;Optional Traps&quot;, select &quot;Critical&quot; and &quot;Major&quot; log events.
14. Click &quot;Save changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284533</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284533r1244995_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must use an NTP service that is hosted by a trusted source or a DoW-compliant enterprise or local NTP server.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>If a trusted time source is not used, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log timestamps inaccurate which may hide attacks or result in inaccurate forensic analysis. 

The recommended solution is that the application or endpoint is configured to point to an enterprise or site-owned time server that is DoW-compliant (instead of directly to an NTP source as implied by the current wording of the requirement). Most products are unable to meet the requirement, but DISA can mitigate the risk by using a trusted time source. So, the requirement should state that NTPS is used with USNO NTP as an alternative mitigation for this to be considered not a finding. 

More information can be found at https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/DOD-Customer-Servers/.

DoW users should not use tick, tock, or ntp2. There are instructions for obtaining authenticated NTP at the site listed above.

Satisfies: SRG-APP-000395-NDM-000347, SRG-APP-000920-NDM-000320, SRG-APP-000925-NDM-000330</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Status &gt;&gt; Dashboard.
2. Click the &quot;Overview&quot; tab.
3. Under &quot;Appliance Details&quot; and &quot;System Date and Time&quot;, select &quot;Edit&quot;.
4. Verify &quot;Use Pool of NTP servers&quot; is checked.
5. Verify at least two NTP servers are configured.
6. Verify a key is configured.

If Policy Secure is not configured to use redundant NTP services that is hosted by a trusted source or a DoW-compliant enterprise or local NTP server, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Status &gt;&gt; Dashboard.
2. Click the &quot;Overview&quot; tab.
3. Under &quot;Appliance Details&quot; and &quot;System Date and Time&quot;, select &quot;Edit&quot;.
4. Select &quot;(GMT) Coordinated Universal Time&quot;.
5. Select &quot;Use Pool of NTP servers&quot;.
6. Enter the IP/hostname of each NTP server in the &quot;NTP Server 1&quot;, &quot;NTP Server 2&quot;, etc.
7. Under the key section, input the key in the following format: &lt;keynumber&gt; &lt;algorithm&gt; &lt;key&gt;.
Note: There must be a space between each section of &lt;keynumber&gt; &lt;algorithm&gt; &lt;key&gt;.
8. Click &quot;Save changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284534</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284534r1244941_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to connect to the management network if used to authenticate privileged users for device management.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore, cannot be relied upon to provide confidentiality or integrity, and DoW data may be compromised.

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. 

Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2/140-3-validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules.

Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Advanced Networking. 
2. Verify the management interface is selected for NTP, SNMP, Syslog and Log Archiving.

1. In the Web UI, navigate to Administrators &gt;&gt; Admin Realms.
2. Click each Admin Authentication Realm.
3. Click on Authentication policy for each realm. 
4. Verify the &quot;Enable to sign in&quot; check box is not checked for &quot;Management Port&quot;.

If the device is not configured to connect to the management port for NTP, SNMP, and Syslog and Log Archiving communications, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Enable and configure alternative protocols and the admins to login to the Management port as well as the default URL port.

1. In the Web UI, navigate to Network &gt;&gt; Management &gt;&gt; Settings.
2. Check the box for &quot;Use Port&quot; to enable.
3. Add an IPv4 Address, Netmask, and GW.
4. Check the box to enable IPv6.
5. Add an IP Address, Prefix, and GW.

1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Advanced Networking. 
2. Select the management interface for NTP, SNMP, Syslog &amp; Log Archive (this should be selected by default). 
3. Click &quot;Save&quot;.

1. In the Web UI, navigate to Administrators &gt;&gt; Admin Realms.
2. Click each Admin Authentication Realm.
3. Click on Authentication policy. 
4. Select each realm and select &quot;Enable administrators to sign in on the Management port&quot;. This should be the only port checked.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284535</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284535r1244943_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must enable IPS, JITC, and NDcPP compliance modes to ensure only FIPS 140-2/140-3 algorithms are used.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoW data may be compromised.

This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to eavesdropping, potentially putting sensitive data (including administrator passwords) at risk of compromise and potentially allowing hijacking of maintenance sessions.

Satisfies: SRG-APP-000412-NDM-000331, SRG-APP-000142-NDM-000245, SRG-APP-000156-NDM-000250, SRG-APP-000179-NDM-000265, SRG-APP-000224-NDM-000270, SRG-APP-000435-NDM-000315, SRG-APP-000516-NDM-000317</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Security &gt;&gt; Inbound SSL Options.
2. Verify the &quot;Turn on JITC mode&quot; checkbox is not checked.
3. Verify the &quot;Turn on NDcPP mode&quot; checkbox is not checked.
4. Verify the &quot;Turn on FIPS mode&quot; checkbox is not checked.

If JITC and NDcPP compliance modes are not configured, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Security &gt;&gt; Inbound SSL Options.
2. Under the DoW Certification option, enable &quot;Turn on JITC mode&quot; to enable the JITC mode security features.
3. Under SSL NDcPP Mode Option, enable &quot;Turn on NDcPP mode&quot; to enable the NDcPP mode security features.
4. Under SSL FIPS Mode Option, check enable &quot;Turn on FIPS mode&quot; to enable the FIPS mode security features.
5. Click &quot;Save changes&quot; and confirm after the web UI asks for SSL cipher configuration changes.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284536</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284536r1244945_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to send the user access events audit log records to a centralized syslog server.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Satisfies: SRG-APP-000516-NDM-000350</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; User Access &gt;&gt; Settings.
2. Verify &quot;Select Events to Log&quot; is configured to log all items.
3. Verify &quot;Syslog Servers&quot; is configured with a remote syslog server name/IP address.
4. Verify TSL is selected.

If user access events log audit records are not configured to be sent to a remote centralized syslog server, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; User Access &gt;&gt; Settings.
2. Under &quot;Select Events to Log&quot;, check all items.
3. Under &quot;syslog Servers&quot; add an IP address/server name/IP.
4. Set the facility to LOCAL0.
5. Set type to TLS.
6. Optionally, only if a client certificate is required for the syslog server, select the client certificate to use for the syslog traffic. If none exists, import the DoW-signed client key pair to the Policy Secure under System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Client Auth Certificates. 
7. Set the standard filer.
8. Set the source interface as either the management or internal interface.
9. Click &quot;Add&quot;.
10. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284537</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284537r1244947_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must send events audit log records to a centralized syslog server.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Satisfies: SRG-APP-000516-NDM-000350</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; Events &gt;&gt; Settings.
2. Verify &quot;Select Events to Log&quot; is configured to log all items.
3. Verify &quot;Syslog Servers&quot; is configured with a remote syslog server name/IP address.
4. Verify &quot;TSL&quot; is selected.

If events access log audit records are not configured to be sent to a remote centralized syslog server, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; User Access &gt;&gt; Settings.
2. Under &quot;Select Events to Log&quot;, check all items.
3. Under &quot;syslog Servers&quot; add an IP address/server name/IP.
4. Set the facility to &quot;LOCAL0&quot;.
5. Set type to &quot;TLS&quot;.
6. Optionally, if only a client certificate is required for the syslog server, select the client certificate to use for the syslog traffic. If none exists, import the DoW-signed client key pair to the Policy Secure under System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Client Auth Certificates. 
7. Set the standard filer.
8. Set the source interface as either the management or internal interface.
9. Click &quot;Add&quot;.
10. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284538</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284538r1244948_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization&apos;s network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Authentication &gt;&gt; Auth Servers &gt;&gt; Authentication/Authorization Servers.
2. Select the directory service connector that was created.
3. Check to ensure a primary and backup server is configured. 

If a primary and backup connection is not configured, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Configure at least two authentication servers.

1. In the Web UI, navigate to Administrators &gt;&gt; Auth Servers.
2. Click &quot;New Servers&quot;, under &quot;Server type&quot;, select &quot;Certificate Server&quot;, then click &quot;New Server&quot;.
3. Type a Name, then under &quot;User Name template&quot;, type: &lt;certAttr.altname.UPN&gt;.
4. Click &quot;Save changes&quot;.
5. Navigate to Administrators &gt;&gt; Auth Servers.
6. Click &quot;New Servers&quot;, under &quot;Server type&quot;, select &quot;LDAP Server&quot;, then click &quot;New Server&quot;.
7. Type a name for the primary LDAP server domain.
8. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
9. LDAP port: 636.
10. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
11. Backup LDAP Port1: 636.
12. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.
13. LDAP Server Type: Active Directory.
14. Connection: LDAPS.
15. Ensure &quot;Validate Server Certificate&quot; is checked.
16. Connection Timeout: 15.
17. Search Timeout: 60.
18. Scroll down to the bottom and click &quot;Save changes&quot;, then click &quot;Test Settings&quot; to ensure valid communications are possible.
Note: If there are failures in this testing, ensure the step for Device Certificates and Trusted Server CAs were completed. If not, this will cause LDAPS certificate issues.
19. Under &quot;authentication required&quot;, click the box for &quot;Authentication required to search LDAP&quot;.
20. Enter the service account&apos;s Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=dod,DC=mil.
21. Enter the service account&apos;s password.
22. Under &quot;Finding user entries&quot;, add the base DN of the domain using this as an example format: DC=dod,DC=mil.
23. Under &quot;filter&quot;, use this specific attribute configuration: userPrincipalName=&lt;USER&gt;.
24. Under &quot;group membership&quot;, add the base DN where admin users will access, using this as an example format: OU=IVANTI,DC=dod,DC=mil.
25. Under &quot;filter&quot;, use the following: cn=&lt;GROUPNAME&gt;.
26. Under &quot;member attribute&quot;, use the following: member.
27. Click &quot;Save Changes&quot;.
28. At the LDAP server configuration screen, scroll down and click the &quot;Server Catalog&quot; hyperlink.
29. Under attributes, click &quot;New&quot;, type &quot;userPrincipalName&quot;, then click &quot;Save Changes&quot;.
30. Under groups, click &quot;Search&quot;. In the search box, type the group name used for admin logins.
31. Check the box next to the group that is found and click &quot;Add Selected&quot;.
32. Repeat these steps for all various groups needed for various roles on the Policy Secure system. For example, groups for auditors, ISSOs, NOC, SOC, Viewer, etc.
33. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284539</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284539r1244949_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who use this critical network component.

This control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Maintenance &gt;&gt; Archiving &gt;&gt; Archive Servers.
2. Review the archive schedule to verify the configuration is configured to backup weekly, at a minimum.
3. Review the backup log to verify the backup is kicked off manually when system configuration occurs.

If backups of system level information are not scheduled for at least weekly, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Ivanti Policy Secure Web UI, navigate to Maintenance &gt;&gt; Archiving &gt;&gt; Archive Servers.
2. Click &quot;SCP&quot; if using an SFTP/SCP server, other mechanisms may not be allowed due to local security policy. Check with the information system security manager (ISSM) before configuring anything other than SCP.
3. Under &quot;Archive Server&quot;, type the host name or IPv4/IPv6 address.
4. In &quot;Destination Directory&quot;, type the path of the backup (e.g., &quot;/backupfolder/ics/&quot;).
5. In the &quot;Username&quot; field, type the username with SCP/SFTP permissions on the backup server.
6. In the &quot;Password&quot; field, type the password.
7. Under &quot;Archive Schedule&quot; select &quot;Archive System Configuration&quot;, then click the day of the week and time when the backup should be sent.
8. Under &quot;Archive System Configuration&quot;, ensure a password is given to encrypt the backup.
9. Under &quot;Archive Schedule&quot;, select &quot;Archive User Accounts&quot;, then click the day of the week and time when the backup should be sent.
10. Under &quot;Archive User Accounts&quot;, ensure a password is given to encrypt the backup.
11. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284540</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284540r1244952_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must obtain its public key certificates from an appropriate certificate policy through an approved service provider.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority (CA) will suffice.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Device Certificates.
2. View the certificate to verify it is signed by a valid DoW CA.
3. Verify the certificate is the only one present and configured for use on interfaces.

If a DoW CA certificate is not used, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Device Certificates.
2. Click &quot;New CSR&quot;.
3. Add a Common Name in FQDN format.
4. Add a Country code of US.
5. Under &quot;Key type&quot;, if using RSA, select &quot;RSA&quot;. If using ECC, select &quot;ECC&quot;.
6. Under &quot;Key length&quot;, if using RSA, select at least 2048. If using ECC, select &quot;P-384&quot;.
7. Enter in random data in the text field.
8. Click &quot;Create CSR&quot;.
9. Copy the Base 64/PEM encoded certificate request shown on the screen and paste it to a text file. Ensure the file has the file suffix of .csr.
10. Complete the local RA process for DoW web server certificate requests. Ensure that SANs are added to the certificate by the issuing CA to include the host name, cluster names, and all FQDNs.
11. Once the certificate is provided by the CA, go to System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Device Certificates.
12. Click &quot;Browse&quot; and select the certificate file issued by the CA, then click &quot;Import&quot;.
13. Click &quot;Save Changes&quot;.
14. Click on the imported certificate.
15. On the internal port, click add for the cluster internal VIP and &lt;Internal Port&gt;.
16. On the external port, click add for the cluster external VIP and &lt;External Port&gt;.
17. Check the box for &quot;Management Port&quot;.
18. Under &quot;Certificate Status Checking&quot;, click the box for &quot;Use CRLs&quot;.
19. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284541</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284541r1244953_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must limit the number of concurrent sessions to one for each administrator account/or administrator type.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks.

This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH, HTTPS, account of last resort, and root account sessions.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Administrators &gt;&gt; Admins Realms &gt;&gt; Admin Realms.
2. Click the configured admin realm being used for CAC/PKI token admin logins.
3. Click the &quot;Authentication Policy&quot; tab, then click &quot;Limits&quot;.

If the &quot;Maximum number of sessions per user&quot; field shows any value other than &quot;1&quot;, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Administrators &gt;&gt; Admins Realms &gt;&gt; Admin Realms.
2. Click the configured admin realm being used for CAC/PKI token admin logins.
3. Click the &quot;Authentication Policy&quot; tab, then click &quot;Limits&quot;.
4. In &quot;Maximum number of sessions per user&quot;, enter &quot;1&quot;.
5. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284542</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284542r1244955_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to use DoW public key infrastructure (PKI) as multifactor authentication (MFA) for administrator login via the sign-in URL.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Once issued by a DoW certificate authority (CA), PKI certificates are typically valid for three years or fewer within the DoW. However, there are many reasons a certificate may become invalid before the prescribed expiration date. For example, an employee may leave or be terminated and still possess the smartcard on which the PKI certificates were stored. Another example is that a smartcard containing PKI certificates may become lost or stolen. A more serious issue could be that the CA or server which issued the PKI certificates has become compromised, thereby jeopardizing every certificate keypair that was issued by the CA. These examples of revocation use cases and many more can be researched further using internet cybersecurity resources.

PKI user certificates presented as part of the identification and authentication criteria (e.g., DoW PKI as MFA) must be checked for validity by network devices. For example, valid PKI certificates are digitally signed by a trusted DoW CA. Additionally, valid PKI certificates are not expired, and valid certificates have not been revoked by a DoW CA.

Network devices can verify the validity of PKI certificates by checking with an authoritative CA. One method of checking the status of PKI certificates is to query databases referred to as certificate revocation lists (CRL). These are lists which are published, updated, and maintained by authoritative DoW CAs. For example, once certificates are expired or revoked, issuing CAs place the certificates on a CRL. Organizations can download these lists periodically (i.e., daily or weekly) and store them locally on the devices themselves or even onto another nearby local enclave resource. Storing them locally ensures revocation status can be checked even if internet connectivity is severed at the enclave&apos;s point of presence (PoP). However, CRLs can be rather large in storage size and further, the use of CRLs can be rather taxing on some computing resources.

Another method of validating certificate status is to use the online certificate status protocol (OCSP). Using OCSP, a requestor (i.e., the network device which the user is trying to authenticate to) sends a request to an authoritative CA challenging the validity of a certificate that has been presented for identification and authentication. The CA receives the request and sends a digitally signed response indicating the status of the user&apos;s certificate as valid, revoked, or unknown. Network devices must only allow access for responses that indicate the certificates presented by the user were considered valid by an approved DoW CA. OCSP is the preferred method because it is fast, provides the most current status, and is lightweight.

Satisfies: SRG-APP-000149-NDM-000247, SRG-APP-000153-NDM-000249, SRG-APP-000910-NDM-000300</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Verify the admin realm is configured for certificate authentication.
1. In the Web UI, navigate to Administrators &gt;&gt; Admin Realms.
2. View the configuration for the admin realm used for administrator sign-in (this is called &quot;Admin Users&quot; by default).
3. Authentication: View the certificate authentication server name.
4. Verify the box for &quot;Enable dynamic policy evaluation&quot; is checked.
5. Verify the box for &quot;Refresh roles&quot; and &quot;refresh resource policies&quot; is checked.

Verify the certificate authentication server is configured to use DoW PKI.
1. Navigate to Administrators &gt;&gt; Auth. Servers.
2. Select Certificate from the list, then select the name of the certificate authentication server name that was used for the admin realm.
3. Verify the username template is set to &lt;certAttr.altname.UPN&gt;.

If Ivanti Policy Secure is not configured to use DoW PKI as MFA for admin logins, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Create a certificate authentication server with the &quot;Certificate&quot; server type to handle the common access card (CAC)/PKI handshake.
1. In the Web UI, navigate to Administrators &gt;&gt; Auth. Servers.
2. Select &quot;Certificate&quot; from the list and click &quot;New Server&quot;.
3. Enter a name.
4. Under &quot;User Name Template&quot;, type &lt;certAttr.altname.UPN&gt;.
5. Click &quot;Save Changes&quot;.

Configure the Admin Realm to tie the certificate authentication and the LDAP lookup together.
1. Navigate to Administrators &gt;&gt; Admin Realms.
2. Click the admin realm being used. &quot;Admin Users&quot; is defined by default.
3. Authentication: Select the certificate authentication server created previously that included the User Name Template &lt;certAttr.altname.UPN&gt;.
4. Directory/Attribute: Select the LDAP server with the admin accounts.
5. Check the box for &quot;Enable dynamic policy evaluation&quot;.
6. Check both &quot;Refresh roles&quot; and &quot;Refresh resource policies&quot;.
7. Click &quot;Save Changes&quot;.
Note: Role Mappings: Created rules that map users to the &quot;Administrator&quot; role based on LDAP groups.

Update the Admin Sign-in Policy by configuring the admin sign-in URL to use this realm.
1. In the Web UI, navigate to Authentication &gt;&gt; Signing In &gt;&gt; Sign-in Policies.
2. Create a new URL or edit the &quot;*/admin/&quot; URL, depending on the site.
Note: It is recommended to create a new sign-in URL until this configuration is fully tested to ensure there is still web UI reachability in the troubleshooting process.
3. Under &quot;Authentication Realm&quot;, click the &quot;User picks from a list of authentication realms&quot;.
4. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284543</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284543r1244956_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to use DoW-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for public key infrastructure (PKI)-based authentication.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Once issued by a DoW certificate authority (CA), PKI certificates are typically valid for three years or fewer within the DoW. However, there are many reasons a certificate may become invalid before the prescribed expiration date. For example, an employee may leave or be terminated and still possess the smartcard on which the PKI certificates were stored. Another example is that a smartcard containing PKI certificates may become lost or stolen. A more serious issue could be that the CA or server which issued the PKI certificates has become compromised, thereby jeopardizing every certificate keypair that was issued by the CA. These examples of revocation use cases and many more can be researched further using internet cybersecurity resources.

PKI user certificates presented as part of the identification and authentication criteria (e.g., DoW PKI as multifactor authentication [MFA]) must be checked for validity by network devices. For example, valid PKI certificates are digitally signed by a trusted DoW CA. Additionally, valid PKI certificates are not expired, and valid certificates have not been revoked by a DoW CA.

Satisfies: SRG-APP-000175-NDM-000262, SRG-APP-000875-NDM-000280</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the ICS Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Trusted Client CAs.
2. Click each DoW client CA.
3. Verify that under &quot;Client certificate status checking&quot;, &quot;OCSP&quot;, &quot;CRL&quot;, or both are checked.
Example: &quot;Use OCSP with CRL fallback&quot; is selected under the &quot;Client certificate status checking&quot; setting.

If the ICS is not configured to use DoW approved OCSP responders and/or CRLs to validate certificates used for PKI-based authentication, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the ICS Web UI, navigate to System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Trusted Client CAs.
2. Click the first DoW client CA.
3. If OCSP only is used, under &quot;Client certificate status checking&quot;, select &quot;Use OCSP&quot;.
4. If CRL is used, under &quot;Client certificate status checking&quot;, select &quot;Use CRL&quot; option.
Note: The recommended option is &quot;Use OCSP with CRL fallback&quot; option under &quot;Client certificate status checking&quot;.
5. Repeat these steps for every other client certificate CA.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284544</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284544r1244957_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Administrators &gt;&gt; Admins Realms &gt;&gt; Admin Users &gt;&gt; Authentication Policy.
2. Click the configured admin realm being used for common access card (CAC)/public key infrastructure (PKI) token admin logins.
3. Click the &quot;Authentication Policy&quot; tab, then click &quot;Source IP&quot;.

In &quot;Administrator Sign in Port&quot; if there are any ports selected for &quot;Administrator Sign in&quot; other than &quot;Management Port&quot;, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Administrators &gt;&gt; Admins Realms &gt;&gt; Admin Users &gt;&gt; Authentication Policy.
2. Click the configured admin realm used for CAC/PKI token admin logins.
3. Click the &quot;Authentication Policy&quot; tab, then click &quot;Source IP&quot;.
4. In &quot;Administrator Sign in Port&quot; under Administrator Sign in Ports Select only the &quot;Management Port&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284545</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284545r1244958_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must enable the admin access audit log.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

Satisfies: SRG-APP-000343-NDM-000289, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000080-NDM-000220, SRG-APP-000091-NDM-000223, SRG-APP-000100-NDM-000230, SRG-APP-000319-NDM-000283</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; Admin Access &gt;&gt; Settings.

Under the section &quot;Select Events to Log&quot;, if &quot;Administrator changes&quot; is not checked, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to Administrators &gt;&gt; Admin Realms &gt;&gt; Admin Realms.
2. Check the box for &quot;Administrator changes&quot; under the section &quot;Select Events to Log&quot;.
3. Click &quot;Save Changes&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284546</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284546r1244959_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must install software updates within 30 days from publication.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Security flaws with software are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. Check the vendor portal to obtain the version and release dates for the latest releases.
2. Navigate to Maintenance &gt;&gt; System &gt;&gt; Platform to inspect the version number of the installed release.

If software updates are not being installed within 30 days from publication, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Regularly log in to the Ivanti Success Portal to check for new maintenance releases.

Back Up Configuration (Pre-Update):
1. Navigate to Maintenance &gt;&gt; Archiving &gt;&gt; Configuration Archive.
2. Select &quot;Save Config As...&quot; and download the binary configuration file.
3. Export User and Admin local databases separately if there are a large number of local accounts.
4. Download and verify the image.
5. Download the appropriate .pkg or system image from Ivanti.
6. Run a SHA-256 checksum on the downloaded file and compare it against the hash provided on the Ivanti download page.

Install the Update:
1. Go to Maintenance &gt;&gt; System &gt;&gt; Upgrade.
2. Under &quot;Upload and Install System Software&quot;, click &quot;Browse&quot; and select the verified update file.
3. Click &quot;Install&quot;. The appliance will automatically reboot.

Note: Log the date of the update to show it was completed within the mandated 30-day window.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284547</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284547r1244960_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>high</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must be configured to use a version supported by the vendor.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.

Software and systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.

When maintenance updates and patches are no longer available, software is no longer considered supported and should be upgraded or decommissioned.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Check the software version installed against the vendor supported version.

1. Navigate to the System Status page from other admin console pages by selecting System &gt;&gt; Status.
2. Click the &quot;System Version Download Package&quot; link to download the software version running on the system.

If the software version is not a version supported by the vendor, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Upgrade the system software to a vendor supported version.

1. Select Maintenance &gt;&gt; System &gt;&gt; Upgrade/Downgrade to display the system software maintenance page.
2. Under &quot;Install Service Package&quot;, select one of the following options to proceed:
a. From &quot;File&quot;, use the &quot;Browse&quot; button to locate and select the service package file.
b. From &quot;Staged Package&quot;, select the service package file that was previously uploaded.
Note: Do not select the &quot;Deletes&quot; option when upgrading software. This option is available to support downgrading software.
3. Click &quot;Install&quot;.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    <VULN>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Num</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>V-284638</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_ID</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>SV-284638r1244993_rule</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Severity</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>medium</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Rule_Title</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>The Ivanti Policy Secure must send admin access audit log records to a centralized syslog server.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Vuln_Discuss</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Satisfies: SRG-APP-000516-NDM-000350</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Check_Content</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; Admin Access &gt;&gt; Settings.
2. Verify &quot;Select Events to Log&quot; is configured to log all items.
3. Verify &quot;Syslog Servers&quot; is configured with a remote syslog server name/IP address.
4. Verify TSL is selected.

If admin access events log audit records are not configured to be sent to a remote centralized syslog server, this is a finding.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STIG_DATA>
        <VULN_ATTRIBUTE>Fix_Text</VULN_ATTRIBUTE>
        <ATTRIBUTE_DATA>1. In the Web UI, navigate to System &gt;&gt; Log/Monitoring &gt;&gt; Admin Access &gt;&gt; Settings.
2. Under &quot;Select Events to Log&quot;, check all items.
3. Under &quot;syslog Servers&quot;, add an IP address/server name/IP.
4. Set the facility to LOCAL0.
5. Set type to TLS.
6. (Optionally, only if a client cert is required for the syslog server) Select the client certificate to use for the syslog traffic. If none exists, import the DoW-signed client key pair to the Policy Secure under System &gt;&gt; Configuration &gt;&gt; Certificates &gt;&gt; Client Auth Certificates. 
7. Set the standard filer. 
8. Set the source interface as either the management or internal interface.
9. Click Add.
10. Click save changes.</ATTRIBUTE_DATA>
      </STIG_DATA>
      <STATUS>Not_Reviewed</STATUS>
      <FINDING_DETAILS></FINDING_DETAILS>
      <COMMENTS></COMMENTS>
    </VULN>
    </iSTIG>
  </STIGS>
</CHECKLIST>