Rule ID
SV-284444r1244802_rule
Version
V1R1
CCIs
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following. (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
1. Navigate the URL(s) used for users to login. 2. Verify users are prompted for their credentials upon signing in and cannot bypass the sign-in process. If the device does not require users be individually authenticated, this is a finding.
Create the User Role to define what actions the user can perform once logged in. 1. Navigate to Users >> User Roles. 2. Click "New Role" and give it a name. 3. Under "Access Features", check the boxes for the services needed (e.g., VPN Tunneling or Web). Configure the Authentication Server so the credentials can be verified. 1. Navigate to Authentication >> Auth. Servers. 2. Select the server type from the dropdown and click "New Server". 3. Enter the server details and click "Save". Create the User Realm to connect the user to the authentication server and the role. 1. Navigate to Users >> User Realms. 2. Click "New Realm" and give it a name. 3. Authentication: Select the server created previously. 4. Directory/Attribute: Select the same server to look up group memberships for role mapping. 5. Click "Save Changes". Set up Role Mapping Rules to map the user to a group in the LDAP server. 1. While still in the new Realm, click the "Role Mapping" tab. 2. Click "New Rule". 3. Rule based on: Select Group Membership (if using AD) or Custom Expression. 4. Condition: Select the AD group the nonadministrative users belong to. 5. Assign Role: Select the role created in a previous step. 6. Click "Save Changes". Create a Sign-In Policy to provide a URL for the users to log in. 1. Navigate to Authentication >> Signing In >> Sign-in Policies. 2. Click "New URL". 3. User type: Select Users (not Administrators). 4. Sign-in URL: Specify a path (e.g., */staff-login). 5. Authentication Realm: Select "Corporate_Network_Realm". 6. Click "Save Changes".