AvePoint Fly Server Security Technical Implementation Guide

Overview

VersionDateFinding Count (22)Downloads
V1R12026-06-15CAT I (High): 4CAT II (Medium): 17CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
ClassifiedPublicSensitive
I - Mission Critical ClassifiedI - Mission Critical PublicI - Mission Critical Sensitive
II - Mission Support ClassifiedII - Mission Support PublicII - Mission Support Sensitive
III - Administrative ClassifiedIII - Administrative PublicIII - Administrative Sensitive

Findings - All

Finding IDSeverityTitleDescription
V-283928
LOWMEDIUMHIGH
Fly Server must use an approved DoW enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users.To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and...
V-283938
LOWMEDIUMHIGH
Fly Server must have no local accounts for the user interface.To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse a...
V-283939
LOWMEDIUMHIGH
Fly Server must have local authentication disabled.To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse a...
V-284032
LOWMEDIUMHIGH
Fly Server must be a version supported by the vendor.Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support ...
V-283924
LOWMEDIUMHIGH
Fly Server must limit the number of concurrent sessions for all accounts and/or account types.Application management includes the ability to control the number of users and user sessions that use an application. Limiting the number of allowed u...
V-283925
LOWMEDIUMHIGH
Fly Server must automatically disable accounts after a 35-day period of account inactivity.Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive acc...
V-283926
LOWMEDIUMHIGH
Fly Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ...
V-283927
LOWMEDIUMHIGH
Fly Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. ...
V-283929
LOWMEDIUMHIGH
Fly Server must enforce a minimum 15-character password length.The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexit...
V-283930
LOWMEDIUMHIGH
Fly Server must enforce password complexity by requiring that at least one uppercase character be used.Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure...
V-283931
LOWMEDIUMHIGH
Fly Server must enforce password complexity by requiring that at least one lowercase character be used.Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure...
V-283932
LOWMEDIUMHIGH
Fly Server must enforce password complexity by requiring that at least one numeric character be used.Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure...
V-283933
LOWMEDIUMHIGH
Fly Server must enforce password complexity by requiring that at least one special character be used.Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure...
V-283934
LOWMEDIUMHIGH
Fly Server must require the change of at least eight of the total number of characters when passwords are changed.If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increa...
V-283935
LOWMEDIUMHIGH
Fly Server must enforce 24 hours/1 day as the minimum password lifetime.Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. Restri...
V-283936
LOWMEDIUMHIGH
Fly Server must terminate sessions after 10 minutes.Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se...
V-283937
LOWMEDIUMHIGH
Fly Server must notify system administrators (SAs) and the information system security officer (ISSO) for all account-related events.Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to ...
V-283941
LOWMEDIUMHIGH
Fly Server must only allow the use of DoW PKI established certificate authorities for verification of the establishment of protected sessions.Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoW syst...
V-284007
LOWMEDIUMHIGH
Fly Server must enforce a role-based access control (RBAC) policy over defined subjects and objects.RBAC is an access control policy that restricts information system access to authorized users. Without these security policies, access control and enf...
V-284030
LOWMEDIUMHIGH
Fly Server must automatically check for updates weekly.Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere...
V-284031
LOWMEDIUMHIGH
Fly Server must be updated within 30 days of an update release.Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovere...
V-283942
LOWMEDIUMHIGH
Fly Server must be configured to use an enterprise database solution.Configuring the application to implement organizationwide security implementation guides and security checklists ensures compliance with federal stand...