The ICS must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258609	IVCS-NM-000320	SV-258609r930515_rule		High

Description
MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence. Private industry recognizes and uses a wide variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DOD, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.

Description

MFA is when two or more factors are used to confirm the identity of an individual who is requesting access to digital information resources. Valid factors include something the individual knows (e.g., username and password), something the individual has (e.g., a smartcard or token), or something the individual is (e.g., a fingerprint or biometric). Legacy information system environments only use a single factor for authentication, typically a username and password combination. Although two pieces of data are used in a username and password combination, this is still considered single factor because an attacker can obtain access simply by learning what the user knows. Common attacks against single-factor authentication are attacks on user passwords. These attacks include brute force password guessing, password spraying, and password credential stuffing. MFA, along with strong user account hygiene, helps mitigate against the threat of having account passwords discovered by an attacker. Even in the event of a password compromise, with MFA implemented and required for interactive login, the attacker still needs to acquire something the user has or replicate a piece of user's biometric digital presence. Private industry recognizes and uses a wide variety of MFA solutions. However, DOD public key infrastructure (PKI) is the only prescribed method approved for DOD organizations to implement MFA. For authentication purposes, centralized DOD certificate authorities (CA) issue PKI certificate key pairs (public and private) to individuals using the prescribed x.509 format. The private certificates that have been generated by the issuing CA are downloaded and saved to smartcards which, within DOD, are referred to as common access cards (CAC) or personal identity verification (PIV) cards. This happens at designated DOD badge facilities. The CA maintains a record of the corresponding public keys for use with PKI-enabled environments. Privileged user smartcards, or "alternate tokens", function in the same manner, so this requirement applies to all interactive user sessions (authorized and privileged users). Note: This requirement is used in conjunction with the use of a centralized authentication server (e.g., AAA, RADIUS, LDAP), a separate but equally important requirement. The MFA configuration of this requirement provides identification and the first phase of authentication (the challenge and validated response, thereby confirming the PKI certificate that was presented by the user). The centralized authentication server will provide the second phase of authentication (the digital presence of the PKI ID as a valid user in the requested security domain) and authorization. The centralized authentication server will map validated PKI identities to valid user accounts and determine access levels for authenticated users based on security group membership and role. In cases where the centralized authentication server is not utilized by the network device for user authorization, the network device must map the authenticated identity to the user account for PKI-based authentication.

STIG	Date
Ivanti Connect Secure NDM Security Technical Implementation Guide	2023-10-17

Details

Check Text ( C-62349r930513_chk )
In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms. 1. Click the admin realm that is currently being used on the ICS for administrator logins; by default it is "Admin Users". 2. In the general tab, under Servers >> Authentication, verify that a certificate authenticate server is configured. 3. In the general tab, under Servers >> Directory/Attribute, verify it does not show "none". 4. In the role mapping tab, under "when users meet these conditions", verify the following is configured: - "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role. Note: this role could be different if using something other than the default ".Administrators" role. - Use of groups instead of individual user accounts. - Ensure the allow-all username of * is not used. If the ICS must be configured to use DOD PKI as MFA for interactive logins, this is a finding.

Check Text ( C-62349r930513_chk )

In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
1. Click the admin realm that is currently being used on the ICS for administrator logins; by default it is "Admin Users".
2. In the general tab, under Servers >> Authentication, verify that a certificate authenticate server is configured.
3. In the general tab, under Servers >> Directory/Attribute, verify it does not show "none".
4. In the role mapping tab, under "when users meet these conditions", verify the following is configured:
- "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role.
Note: this role could be different if using something other than the default ".Administrators" role.
- Use of groups instead of individual user accounts.
- Ensure the allow-all username of * is not used.

If the ICS must be configured to use DOD PKI as MFA for interactive logins, this is a finding.

Fix Text (F-62258r930514_fix)
In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Server CAs. 1. Click Import Trusted Server CAs. 2. Import the Active Directory root CA certificate by clicking Browse, selecting the certificate file, and clicking Import Certificate. 3. Repeat these steps for the intermediate CA certificate. In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs. 1. Click Import CA Certificate. 2. Import the DOD Client CAC root CA certificate by clicking Browse, selecting the certificate file, and clicking Import Certificate (e.g., DOD Root CA 3). 3. Repeat these steps for the intermediate/issuing CAC CA certificate (e.g., DOD ID CA 59). 4. Repeat these steps for each intermediate CAC CA certificate. 5. Click the Root CA certificate that was imported. 6. Under client certificate status checking, ensure the following is set: - Use OCSP with CRL Fallback. - Trusted for client Authentication must be checked. 7. If the network the site is in must use a local OCSP repeater/responder, go to OCSP settings. Otherwise, move on to the Device Certificates. 8. Click OSCP options, Use Manually Configured responders. 9. Enter the URL for the primary and backup OCSP responder. 10. If the OCSP responder requires request signing and Nonce usage, select those here. In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates. 1. Click "New CSR". 2. Under Common Name, ensure this has the FQDN for the ICS server. Fill out all other items. 3. If using RSA, select 2048. If using ECC, select P-384. 4. Click Create CSR. Export the CSR and import it into the DOD site's Registration Authority (RA). Ensure that Subject Alternative Names (SANs) are created for all FQDNs, server names, and cluster names on the web enrollment form. 5. Once the certificate is approved, download it and import it in this same section of the ICS. In the ICS Web UI, navigate to Administrators >> Auth Servers. 1. Click "New Servers", under server type, select "Certificate Server", then click "New Server". 2. Type a Name, then under User Name template type . 3. Click "Save Changes". 4. Navigate to Administrators >> Auth Servers. 5. Click "New Servers". Under server type, select "LDAP Server". Click "New Server". 6. Type a name for the primary LDAP server domain. 7. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field). 8. LDAP port: 636 (this is for LDAPS). 9. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field). 10. Backup LDAP Port1: 636. 11. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2. 12. LDAP Server Type: Active Directory. 13. Connection: LDAPS. 14. Ensure Validate Server Certificate is checked. 15. Connection Timeout: 15. 16. Search Timeout: 60. 17. Scroll down to the bottom and click "Save Changes", then click "Test Settings" to ensure valid communications are possible. NOTE: If there are failures in this testing, ensure that the step for Device Certificates and Trusted Server CAs were completed as this will cause LDAPS certificate issues. 18. Under authentication required, click the box for Authentication required to search LDAP. 19. Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=dod,DC=mil 20. Enter the service account's password. 21. Under "Finding user entries" add the base DN of the domain as an example format: DC=dod,DC=mil 22. Under filter, use this specific attribute configuration: userPrincipalName= 23. Under group membership, add the base DN of where admin users that will access, using this as an example format: OU=IVANTI,DC=dod,DC=mil 24. Under filter use the following: cn= 25. Under member attribute use the following: member. 26. Click "Save Changes". 27. In the same LDAP server configuration screen, scroll down and click the "Server Catalog" hyperlink. 28. Under attributes, click New, Type: userPrincipalName, and save the changes. 29. Under groups, click Search. In the search box, type the group name used for admin logins. 30. Check the box next to the group that is found and click "Add Selected". 31. Repeat these steps for all various groups needed for various roles on the ICS system. For example, groups for auditors, ISSOs, NOC, SOC, Viewer, etc. 32. Click "Save Changes". In the ICS Web UI, navigate to Administrators >> Admin Realms. 1. Click the admin realm being used. By default, "Admin Users" is defined. 2. Under servers, go to Authentication and select the certificate authentication realm created that included the customized User template of 3. Under Directory/Attribute, select the previously created LDAP server. 4. Check the box for "Enable dynamic policy evaluation". 5. Check both "Refresh roles" and "refresh resource policies". 6. Click "Save Changes". 7. Go to the Role Mapping tab. 8. Click "New Rule". 9. Select "Rule based on Group Membership", click "Update". 10. Type a name for this rule. 11. Select "is". 12. Type the group name exactly as it appears as the CN LDAP attribute. 13. Select the role. The default is ".Administrators" for ICS admins. NOTE: if other roles for access to ICS management are needed, this can be configured in the Administrators >> Admin Roles section. 14. Click "Save Changes". In the ICS Web UI, navigate to Authentication >> Sign-in >> Sign-in Policies. 1. Create a New URL or edit the */admin/ URL - depending on the site. NOTE: it is recommended to create a new sign-in URL until this configuration is fully tested to ensure there is still web UI reachability in the troubleshooting process. 2. Under authentication realm, click the "User picks from a list of authentication realms". 3. Click "Save Changes". Test and verify the connection with CAC/Alt Token and LDAPS by attempting a web UI login using the token or CAC and entering the sign-in URL.

Fix Text (F-62258r930514_fix)

In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Server CAs.
1. Click Import Trusted Server CAs.
2. Import the Active Directory root CA certificate by clicking Browse, selecting the certificate file, and clicking Import Certificate.
3. Repeat these steps for the intermediate CA certificate.

In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Trusted Client CAs.
1. Click Import CA Certificate.
2. Import the DOD Client CAC root CA certificate by clicking Browse, selecting the certificate file, and clicking Import Certificate (e.g., DOD Root CA 3).
3. Repeat these steps for the intermediate/issuing CAC CA certificate (e.g., DOD ID CA 59).
4. Repeat these steps for each intermediate CAC CA certificate.
5. Click the Root CA certificate that was imported.
6. Under client certificate status checking, ensure the following is set:
- Use OCSP with CRL Fallback.
- Trusted for client Authentication must be checked.
7. If the network the site is in must use a local OCSP repeater/responder, go to OCSP settings. Otherwise, move on to the Device Certificates.
8. Click OSCP options, Use Manually Configured responders.
9. Enter the URL for the primary and backup OCSP responder.
10. If the OCSP responder requires request signing and Nonce usage, select those here.

In the ICS Web UI, navigate to System >> Configuration >> Certificates >> Device Certificates.
1. Click "New CSR".
2. Under Common Name, ensure this has the FQDN for the ICS server. Fill out all other items.
3. If using RSA, select 2048. If using ECC, select P-384.
4. Click Create CSR. Export the CSR and import it into the DOD site's Registration Authority (RA). Ensure that Subject Alternative Names (SANs) are created for all FQDNs, server names, and cluster names on the web enrollment form.
5. Once the certificate is approved, download it and import it in this same section of the ICS.

In the ICS Web UI, navigate to Administrators >> Auth Servers.
1. Click "New Servers", under server type, select "Certificate Server", then click "New Server".
2. Type a Name, then under User Name template type .
3. Click "Save Changes".
4. Navigate to Administrators >> Auth Servers.
5. Click "New Servers". Under server type, select "LDAP Server". Click "New Server".
6. Type a name for the primary LDAP server domain.
7. LDAP server: the FQDN of the server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
8. LDAP port: 636 (this is for LDAPS).
9. Backup LDAP Server1: the FQDN of the secondary server (an IP address may cause an error as the LDAP server certificate might not have an IP in the SAN field).
10. Backup LDAP Port1: 636.
11. If a third LDAP server is needed, add this and the port info under Backup LDAP Server2 and Backup LDAP Port2.
12. LDAP Server Type: Active Directory.
13. Connection: LDAPS.
14. Ensure Validate Server Certificate is checked.
15. Connection Timeout: 15.
16. Search Timeout: 60.
17. Scroll down to the bottom and click "Save Changes", then click "Test Settings" to ensure valid communications are possible.
NOTE: If there are failures in this testing, ensure that the step for Device Certificates and Trusted Server CAs were completed as this will cause LDAPS certificate issues.
18. Under authentication required, click the box for Authentication required to search LDAP.
19. Enter the service account's Admin DN using this as an example format: CN=PCS.SVC,OU=IVANTI,DC=dod,DC=mil
20. Enter the service account's password.
21. Under "Finding user entries" add the base DN of the domain as an example format: DC=dod,DC=mil
22. Under filter, use this specific attribute configuration: userPrincipalName=
23. Under group membership, add the base DN of where admin users that will access, using this as an example format: OU=IVANTI,DC=dod,DC=mil
24. Under filter use the following: cn=
25. Under member attribute use the following: member.
26. Click "Save Changes".
27. In the same LDAP server configuration screen, scroll down and click the "Server Catalog" hyperlink.
28. Under attributes, click New, Type: userPrincipalName, and save the changes.
29. Under groups, click Search. In the search box, type the group name used for admin logins.
30. Check the box next to the group that is found and click "Add Selected".
31. Repeat these steps for all various groups needed for various roles on the ICS system. For example, groups for auditors, ISSOs, NOC, SOC, Viewer, etc.
32. Click "Save Changes".

In the ICS Web UI, navigate to Administrators >> Admin Realms.
1. Click the admin realm being used. By default, "Admin Users" is defined.
2. Under servers, go to Authentication and select the certificate authentication realm created that included the customized User template of
3. Under Directory/Attribute, select the previously created LDAP server.
4. Check the box for "Enable dynamic policy evaluation".
5. Check both "Refresh roles" and "refresh resource policies".
6. Click "Save Changes".
7. Go to the Role Mapping tab.
8. Click "New Rule".
9. Select "Rule based on Group Membership", click "Update".
10. Type a name for this rule.
11. Select "is".
12. Type the group name exactly as it appears as the CN LDAP attribute.
13. Select the role. The default is ".Administrators" for ICS admins.
NOTE: if other roles for access to ICS management are needed, this can be configured in the Administrators >> Admin Roles section.
14. Click "Save Changes".

In the ICS Web UI, navigate to Authentication >> Sign-in >> Sign-in Policies.
1. Create a New URL or edit the */admin/ URL - depending on the site.
NOTE: it is recommended to create a new sign-in URL until this configuration is fully tested to ensure there is still web UI reachability in the troubleshooting process.
2. Under authentication realm, click the "User picks from a list of authentication realms".
3. Click "Save Changes".

Test and verify the connection with CAC/Alt Token and LDAPS by attempting a web UI login using the token or CAC and entering the sign-in URL.