Rule ID
SV-284531r1244937_rule
Version
V1R1
Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Satisfies: SRG-APP-000340-NDM-000288, SRG-APP-000378-NDM-000302, SRG-APP-000380-NDM-000304, SRG-APP-000408-NDM-000314, SRG-APP-000491-NDM-000316, SRG-APP-000516-NDM-000341, SRG-APP-000177-NDM-000263, SRG-APP-000820-NDM-000170, SRG-APP-000825-NDM-000180, SRG-APP-000875-NDM-000280
Verify realms and roles are configured as needed to meet mission requirements. 1. In the Web UI, navigate to Administrators >> Admin Realms >> Admin Realms. 2. Click the admin realm that is currently being used on the Policy Secure for administrator logins. By default, it is "Admin Users". 3. In the "General" tab, under Servers >> Directory/Attribute, verify "none" are listed. 4. In the "Role Mapping" tab, under "when users meet these conditions" set the following: - "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role. Note: This role could be different if using something other than the default ".Administrators" role. If a realm or role mapping is not configured to prevent nonprivileged users from executing privileged functions, this is a finding.
Configure realms and roles as needed to meet mission requirements. The ".Administrators" role is a default role name, but other administrator role names can be used. Groups must be used; separate usernames or an allow-all username of * is not acceptable. 1. In the Web UI, navigate to Administrators >> Admin Realms >> Admin Realms. 2. Click the admin realm that is used on the Policy Secure for administrator logins. By default, it is "Admin Users". 3. In the "General" tab, under Servers >> Directory/Attribute, select the previously configured LDAP Directory. If none are configured, follow vendor supplied instructions for creating an LDAP Authentication Server. 4. In the "Role Mapping" tab, under "when users meet these conditions" select "New rule". 5. Under "Rule based on", select "Group Membership". 6. Name the rule. 7. Select "is". 8. Provide the exact group name in the text box. This name must match the "CN=" attribute name. For example, if the group is "CN=ivanti.adm.group" then add the "ivanti.adm.group" to the text box. 9. Under "then assign these roles", select the admin role used by Policy Secure for admin logins. By default, this is the ".Administrators". 10. Click "Save Changes". 11. Under "Role Mapping" if there are more roles needed for more specific role-based access to the Policy Secure, configure more of them here. 12. Click "Save Changes".