STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Ivanti Policy Secure NDM Security Technical Implementation Guide

V-284538

CAT I (High)

The Ivanti Policy Secure must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.

Rule ID

SV-284538r1244948_rule

STIG

Ivanti Policy Secure NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000370

Discussion

Centralized management of authentication settings increases the security of remote and nonlocal access methods. This control is particularly important protection against the insider threat. With robust centralized management, audit records for administrator account access to the organization's network devices can be more readily analyzed for trends and anomalies. The alternative method of defining administrator accounts on each device exposes the device configuration to remote access authentication attacks and system administrators with multiple authenticators for each network device.

Check Content

1. In the Web UI, navigate to Authentication >> Auth Servers >> Authentication/Authorization Servers.
2. Select the directory service connector that was created.
3. Check to ensure a primary and backup server is configured. 

If a primary and backup connection is not configured, this is a finding.

Fix Text

Configure at least two authentication servers.

1. In the Web UI, navigate to Administrators >> Auth Servers.
2. Click "New Servers", under "Server type", select "Certificate Server", then click "New Server".
3. Type a Name, then under "User Name template", type: <certAttr.altname.UPN>.
4. Click "Save changes".
5. Navigate to Administrators >> Auth Servers.
6. Click "New Servers", under "Server type", select "LDAP Server", then click "New Server".
7. Type a name for the primary LDAP server domain.
8. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
9. LDAP port: 636.
10. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
11. Backup LDAP Port1: 636.
12. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.
13. LDAP Server Type: Active Directory.
14. Connection: LDAPS.
15. Ensure "Validate Server Certificate" is checked.
16. Connection Timeout: 15.
17. Search Timeout: 60.
18. Scroll down to the bottom and click "Save changes", then click "Test Settings" to ensure valid communications are possible.
Note: If there are failures in this testing, ensure the step for Device Certificates and Trusted Server CAs were completed. If not, this will cause LDAPS certificate issues.
19. Under "authentication required", click the box for "Authentication required to search LDAP".
20. Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=dod,DC=mil.
21. Enter the service account's password.
22. Under "Finding user entries", add the base DN of the domain using this as an example format: DC=dod,DC=mil.
23. Under "filter", use this specific attribute configuration: userPrincipalName=<USER>.
24. Under "group membership", add the base DN where admin users will access, using this as an example format: OU=IVANTI,DC=dod,DC=mil.
25. Under "filter", use the following: cn=<GROUPNAME>.
26. Under "member attribute", use the following: member.
27. Click "Save Changes".
28. At the LDAP server configuration screen, scroll down and click the "Server Catalog" hyperlink.
29. Under attributes, click "New", type "userPrincipalName", then click "Save Changes".
30. Under groups, click "Search". In the search box, type the group name used for admin logins.
31. Check the box next to the group that is found and click "Add Selected".
32. Repeat these steps for all various groups needed for various roles on the Policy Secure system. For example, groups for auditors, ISSOs, NOC, SOC, Viewer, etc.
33. Click "Save Changes".