UCF STIG Viewer Logo

The web server must encrypt user identifiers and passwords.


Finding ID Version Rule ID IA Controls Severity
V-56031 SRG-APP-000429-WSR-000113 SV-70285r2_rule Medium
When data is written to digital media, such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. User identities and passwords stored on the hard drive of the hosting hardware must be encrypted to protect the data from easily being discovered and used by an unauthorized user to access the hosted applications. The cryptographic libraries and functionality used to store and retrieve the user identifiers and passwords must be part of the web server.
Web Server Security Requirements Guide 2019-03-20


Check Text ( C-56601r2_chk )
Review the web server documentation and deployed configuration to determine whether the web server is authorizing and managing users.

If the web server is not authorizing and managing users, this is NA.

If the web server is the user authenticator and manager, verify that stored user identifiers and passwords are being encrypted by the web server. If the user information is not being encrypted when stored, this is a finding.
Fix Text (F-60909r1_fix)
Configure the web server to encrypt the user identifiers and passwords when storing them on digital media.