ColdFusion must not have local users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279033 | APAS-CF-000040 | SV-279033r1171269_rule | CCI-000166 | low |
| Description | ||||
| To maintain accountability and enforce access control policies, ColdFusion must require each user to authenticate using a unique account. Shared or generic accounts prevent the ability to associate user actions with specific individuals, which undermines auditing, accountability, and incident response capabilities. Unique user accounts ensure that each action taken within the ColdFusion environment can be attributed to a specific, identifiable user. This is essential for detecting misuse, investigating anomalies, and ensuring compliance with security policies. | ||||
| STIG | Date | |||
| Adobe ColdFusion Security Technical Implementation Guide | 2025-12-19 | |||
Details
Check Text (C-279033r1171269_chk)
Verify there are no local users.
1. From the Admin Console Landing Screen, navigate to Security >> User Manager.
2. For each user, validate "External User" is checked and "User Type" is selected.
If "External User" is not checked and "User Type" is not selected, this is a finding.
Fix Text (F-83486r1171268_fix)
Configure External User Accounts:
1. From the Admin Console Landing Screen, navigate to Security >> User Manager.
2. For any user accounts where "External User" is not checked and "User Type" is not selected:
a. Edit the user account (or remove the account if it should not exist).
b. Check the box for "External User".
c. Select the appropriate "User Type".
d. Click "Update User" to save the changes.
e. Verify that no local user accounts remain and that all users are correctly configured as external.