The ICS must be configured to prevent nonprivileged users from executing privileged functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258600	IVCS-NM-000050	SV-258600r930488_rule		High

Description
Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Satisfies: SRG-APP-000340-NDM-000288, SRG-APP-000380-NDM-000304, SRG-APP-000378-NDM-000302, SRG-APP-000133-NDM-000244, SRG-APP-000123-NDM-000240, SRG-APP-000121-NDM-000238, SRG-APP-000231-NDM-000271, SRG-APP-000408-NDM-000314, SRG-APP-000329-NDM-000287, SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000033-NDM-000212, SRG-APP-000516-NDM-000335, SRG-APP-000516-NDM-000336, SRG-APP-000177-NDM-000263, SRG-APP-000080-NDM-000220

Description

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Satisfies: SRG-APP-000340-NDM-000288, SRG-APP-000380-NDM-000304, SRG-APP-000378-NDM-000302, SRG-APP-000133-NDM-000244, SRG-APP-000123-NDM-000240, SRG-APP-000121-NDM-000238, SRG-APP-000231-NDM-000271, SRG-APP-000408-NDM-000314, SRG-APP-000329-NDM-000287, SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000033-NDM-000212, SRG-APP-000516-NDM-000335, SRG-APP-000516-NDM-000336, SRG-APP-000177-NDM-000263, SRG-APP-000080-NDM-000220

STIG	Date
Ivanti Connect Secure NDM Security Technical Implementation Guide	2023-10-17

Details

Check Text ( C-62340r930486_chk )
Verify Realms and Roles are configured as needed to meet mission requirements. In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms. 1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users". 2. In the "General" tab, under Servers >> Directory/Attribute, verify it does not say "none". 3. In the "Role Mapping" tab, under "when users meet these conditions", verify the following: - "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role. Note that this role could be different if using something other than the default ".Administrators" role. - Verify separate usernames are not used. Verify an allow-all username of * is used. If a realm or role is not configured to prevent nonprivileged users from executing privileged functions, this is a finding.

Check Text ( C-62340r930486_chk )

Verify Realms and Roles are configured as needed to meet mission requirements.

In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users".
2. In the "General" tab, under Servers >> Directory/Attribute, verify it does not say "none".
3. In the "Role Mapping" tab, under "when users meet these conditions", verify the following:
- "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role. Note that this role could be different if using something other than the default ".Administrators" role.
- Verify separate usernames are not used. Verify an allow-all username of * is used.

If a realm or role is not configured to prevent nonprivileged users from executing privileged functions, this is a finding.

Fix Text (F-62249r930487_fix)
Configure Realms and Roles as needed to meet mission requirements. Note: The ".Administrators" role is a default role name, other administrator role names can be used. Groups must be used, separate usernames or an allow-all username of * is not acceptable. In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms. 1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users". 2. In the "General" tab, under Servers >> Directory/Attribute, select the previously configured LDAP Directory. If none is configured, follow vendor supplied instructions for creating an LDAP Authentication Server. 3. In the "Role Mapping" tab, under "when users meet these conditions", select new rule. 4. Under rule based on, select "Group Membership". 5. Give the rule a name. 6. Select "is". 7. Provide the exact group name in the text box. This name must match the "CN=" attribute name. For example, if the group is "CN=ivanti.adm.group" then add the "ivanti.adm.group" to the text box. 8. Under "then assign these roles", select the admin role used by ICS for admin logins. By default this is ".Administrators". 9. Click "Save Changes". 10. Under "Role Mapping", if there are more roles needed for more specific role-based access to the ICS, configure more of them here. 11. Once complete, click "Save Changes".

Fix Text (F-62249r930487_fix)

Configure Realms and Roles as needed to meet mission requirements.

Note: The ".Administrators" role is a default role name, other administrator role names can be used. Groups must be used, separate usernames or an allow-all username of * is not acceptable.

In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users".
2. In the "General" tab, under Servers >> Directory/Attribute, select the previously configured LDAP Directory. If none is configured, follow vendor supplied instructions for creating an LDAP Authentication Server.
3. In the "Role Mapping" tab, under "when users meet these conditions", select new rule.
4. Under rule based on, select "Group Membership".
5. Give the rule a name.
6. Select "is".
7. Provide the exact group name in the text box. This name must match the "CN=" attribute name. For example, if the group is "CN=ivanti.adm.group" then add the "ivanti.adm.group" to the text box.
8. Under "then assign these roles", select the admin role used by ICS for admin logins. By default this is ".Administrators".
9. Click "Save Changes".
10. Under "Role Mapping", if there are more roles needed for more specific role-based access to the ICS, configure more of them here.
11. Once complete, click "Save Changes".