<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="AvePoint_Fly_Server_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2026-06-15">accepted</status><title>AvePoint Fly Server Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 28 Apr 2026</plain-text><plain-text id="generator">3.5.2</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-283924" selected="true" /><select idref="V-283925" selected="true" /><select idref="V-283926" selected="true" /><select idref="V-283927" selected="true" /><select idref="V-283928" selected="true" /><select idref="V-283929" selected="true" /><select idref="V-283930" selected="true" /><select idref="V-283931" selected="true" /><select idref="V-283932" selected="true" /><select idref="V-283933" selected="true" /><select idref="V-283934" selected="true" /><select idref="V-283935" selected="true" /><select idref="V-283936" selected="true" /><select idref="V-283937" selected="true" /><select idref="V-283938" selected="true" /><select idref="V-283939" selected="true" /><select idref="V-283941" selected="true" /><select idref="V-283942" selected="true" /><select idref="V-284007" selected="true" /><select idref="V-284030" selected="true" /><select idref="V-284031" selected="true" /><select idref="V-284032" selected="true" /></Profile><Group id="V-283924"><title>SRG-APP-000001</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283924r1206887_rule" weight="10.0" severity="medium"><version>FLYS-00-000005</version><title>Fly Server must limit the number of concurrent sessions for all accounts and/or account types.</title><description>&lt;VulnDiscussion&gt;Application management includes the ability to control the number of users and user sessions that use an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service (DoS) attacks.

This requirement may be met via the application or by using information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. 

This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be defined based upon mission needs and the operational environment for each system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000054</ident><fixtext fixref="F-88394r1206886_fix">Configure the Fly Server Manager session setting:
- Log on to Fly Server Manager with an admin account.
- On the Management &gt;&gt; General Settings page, click the "System Option" tab. 
- Uncheck the "Allow concurrent sessions from multiple servers for the same account" setting.
- Save the setting.</fixtext><fix id="F-88394r1206886_fix" /><check system="C-88489r1206885_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager session setting:
- Log on to Fly Server Manager with an admin account.
- On the Management &gt;&gt; General Settings page, click the "System Option" tab. 
- Verify the "Allow concurrent sessions from multiple servers for the same account" setting.

If this setting is checked, this is a finding.</check-content></check></Rule></Group><Group id="V-283925"><title>SRG-APP-000025</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283925r1206871_rule" weight="10.0" severity="medium"><version>FLYS-00-000015</version><title>Fly Server must automatically disable accounts after a 35-day period of account inactivity.</title><description>&lt;VulnDiscussion&gt;Attackers that are able to exploit an inactive account can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days of inactivity. Such a process greatly reduces the risk that accounts will be hijacked, leading to a data compromise. 

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality. 

This policy does not apply to either emergency accounts or infrequently used accounts. Infrequently used accounts are local login administrator accounts used by system administrators when network or normal logon/access is not available. Emergency accounts are administrator accounts created in response to crisis situations.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000017</ident><fixtext fixref="F-88395r1206870_fix">Configure the Fly Server security settings: 
- Log on to Fly Server Manager with the administrator account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab.
- Navigate to "User Settings", then click "Deactivate a user after 35 days of inactivity" option. 
- Set 35 days or other values as required.
- Save the setting.</fixtext><fix id="F-88395r1206870_fix" /><check system="C-88490r1206869_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server security settings:
- Log on to Fly Server Manager with the admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab.
- Navigate to "User Settings". 
- Verify the "Deactivate a user after 35 days of inactivity" option is checked. 

If this option is not checked, this is a finding.</check-content></check></Rule></Group><Group id="V-283926"><title>SRG-APP-000065</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283926r1206132_rule" weight="10.0" severity="medium"><version>FLYS-00-000020</version><title>Fly Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Satisfies: SRG-APP-000065, SRG-APP-000345, SRG-APP-000295, SRG-APP-000317&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000044</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><ident system="http://cyber.mil/cci">CCI-002361</ident><ident system="http://cyber.mil/cci">CCI-004045</ident><fixtext fixref="F-88396r1206131_fix">Configure the logon configuration in Fly Server Manager:
- Access the VM or server where the Fly Server manager is installed. 
- Find the installation location of Fly Server manager.
- Open the "TimerService.exe.config" file in ...\APElements\FLY\Manager\Control\bin.
- Find following node and set the value to "3":

&lt;add key="FailedLogOnLimitationCount" value="3" /&gt;</fixtext><fix id="F-88396r1206131_fix" /><check system="C-88491r1206130_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the logon configuration in Fly Server Manager:
- Access the VM or server where the Fly Server manager is installed. 
- Find the installation location of Fly Server manager.
- Open the "TimerService.exe.config" file in ...\APElements\FLY\Manager\Control\bin.
- Check the key "FailedLogOnLimitationCount".

If the value is not "3", this is a finding.</check-content></check></Rule></Group><Group id="V-283927"><title>SRG-APP-000142</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283927r1206911_rule" weight="10.0" severity="medium"><version>FLYS-00-000035</version><title>Fly Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.</title><description>&lt;VulnDiscussion&gt;Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Application communication sessions are protected using transport encryption protocols, such as TLS, which provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. 

This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). 

This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of TLS mutual authentication (two-way/bidirectional).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000382</ident><fixtext fixref="F-88397r1206134_fix">Configure the internal communication ports for Fly Server Manager and Agent.
- Install Fly Server Manager and Agent.
- Set Manager Access URL and Internal Communication Port setting, set to ports that are not organization-defined to be in use by another system.</fixtext><fix id="F-88397r1206134_fix" /><check system="C-88492r1206133_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Open the Fly Server console in a browser and note the port number in the URL.

Fly Server uses ports 20100 and 20101 by default for Manager and Agent internal communication. 

If the ports used are organization-defined to be in use by another system, this is a finding.</check-content></check></Rule></Group><Group id="V-283928"><title>SRG-APP-000155</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283928r1223356_rule" weight="10.0" severity="high"><version>FLYS-00-000055</version><title>Fly Server must use an approved DoW enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users.</title><description>&lt;VulnDiscussion&gt;To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. This is typically accomplished via the use of a user store, which is either local (OS-based) or centralized (LDAP) in nature. However, DODI 8520.03 now requires that applications use an approved DoW enterprise (E-ICAM) solution whenever the ICAM solution addresses information system needs. Where the ICAM solution has been evaluated and found to not meet the needs of information system owners, information system owners must reevaluate decisions to use locally managed solutions and transition to DoW enterprise ICAM solutions to the maximum extent possible as the enterprise ICAM solutions mature.

Satisfies: SRG-APP-000155, SRG-APP-000023, SRG-APP-000149, SRG-APP-000150, SRG-APP-000154, SRG-APP-000156, SRG-APP-000174, SRG-APP-000318, SRG-APP-000334, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000461, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000740, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000875, SRG-APP-000960, SRG-APP-000965, SRG-APP-000970, SRG-APP-000975, SRG-APP-000980, SRG-APP-000985, SRG-APP-000990, SRG-APP-000995, SRG-APP-001000, SRG-APP-000148, SRG-APP-000153, SRG-APP-000157, SRG-APP-000212, SRG-APP-000389, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000395, SRG-APP-000400, SRG-APP-000401, SRG-APP-001005, SRG-APP-001010, SRG-APP-001015, SRG-APP-001020, SRG-APP-001025&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004046</ident><ident system="http://cyber.mil/cci">CCI-000015</ident><ident system="http://cyber.mil/cci">CCI-000765</ident><ident system="http://cyber.mil/cci">CCI-000766</ident><ident system="http://cyber.mil/cci">CCI-001941</ident><ident system="http://cyber.mil/cci">CCI-004066</ident><ident system="http://cyber.mil/cci">CCI-002145</ident><ident system="http://cyber.mil/cci">CCI-002205</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-002009</ident><ident system="http://cyber.mil/cci">CCI-002010</ident><ident system="http://cyber.mil/cci">CCI-004083</ident><ident system="http://cyber.mil/cci">CCI-004085</ident><ident system="http://cyber.mil/cci">CCI-003747</ident><ident system="http://cyber.mil/cci">CCI-003627</ident><ident system="http://cyber.mil/cci">CCI-003628</ident><ident system="http://cyber.mil/cci">CCI-003629</ident><ident system="http://cyber.mil/cci">CCI-004047</ident><ident system="http://cyber.mil/cci">CCI-004058</ident><ident system="http://cyber.mil/cci">CCI-004068</ident><ident system="http://cyber.mil/cci">CCI-005155</ident><ident system="http://cyber.mil/cci">CCI-005156</ident><ident system="http://cyber.mil/cci">CCI-005157</ident><ident system="http://cyber.mil/cci">CCI-005158</ident><ident system="http://cyber.mil/cci">CCI-005159</ident><ident system="http://cyber.mil/cci">CCI-005160</ident><ident system="http://cyber.mil/cci">CCI-005161</ident><ident system="http://cyber.mil/cci">CCI-005162</ident><ident system="http://cyber.mil/cci">CCI-005163</ident><ident system="http://cyber.mil/cci">CCI-000764</ident><ident system="http://cyber.mil/cci">CCI-004045</ident><ident system="http://cyber.mil/cci">CCI-001083</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><ident system="http://cyber.mil/cci">CCI-000186</ident><ident system="http://cyber.mil/cci">CCI-000187</ident><ident system="http://cyber.mil/cci">CCI-001967</ident><ident system="http://cyber.mil/cci">CCI-002007</ident><ident system="http://cyber.mil/cci">CCI-005164</ident><ident system="http://cyber.mil/cci">CCI-005165</ident><ident system="http://cyber.mil/cci">CCI-005166</ident><ident system="http://cyber.mil/cci">CCI-005167</ident><ident system="http://cyber.mil/cci">CCI-005168</ident><fixtext fixref="F-88398r1206137_fix">Configure the Fly Server Account Manager setting to ensure AD Integration or AAD Integration is enabled:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; Account Manager page, click "Authentication Manager".
- Navigate to AD Integration or AAD Integration.
- Set the Action of AD Integration or AAD Integration to "Enable".
- Add an AD domain after AD integration is enabled.
- Save the setting.

Add AD user/group or AAD user/group to Account Manager; realize automated mechanisms through AD or AAD account management functions.</fixtext><fix id="F-88398r1206137_fix" /><check system="C-88493r1206888_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Fly Server must be integrated with Active Directory (AD) and Azure AD (AAD) for automated account management.

Check the Fly Server Account Manager setting to verify AD Integration or AAD Integration is enabled:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; Account Manager page, click "Authentication Manager".
- Navigate to AD Integration or AAD Integration.
- Verify the AD Integration or AAD Integration option is enabled.

If the AD Integration or AAD Integration option is not enabled, this is a finding.</check-content></check></Rule></Group><Group id="V-283929"><title>SRG-APP-000164</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283929r1206891_rule" weight="10.0" severity="medium"><version>FLYS-00-000065</version><title>Fly Server must enforce a minimum 15-character password length.</title><description>&lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. 

Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88399r1206140_fix">Configure the Fly Server Account Manager setting to ensure AD Integration or AAD Integration is enabled:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; Account Manager page, click "Authentication Manager".
- Navigate to AD Integration or AAD Integration.
- Set the Action of AD Integration or AAD Integration to "Enable".
- Add an AD domain after AD integration is enabled.
- Save the setting.

Add AD user/group or AAD user/group to Account Manager; realize automated mechanisms through AD or AAD account management functions.</fixtext><fix id="F-88399r1206140_fix" /><check system="C-88494r1206890_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Fly Server must be integrated with Active Directory (AD) and Azure AD (AAD) for automated account management.

Check the Fly Server Account Manager setting to verify AD Integration or AAD Integration is enabled:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; Account Manager page, click "Authentication Manager".
- Navigate to AD Integration or AAD Integration.
- Verify the AD Integration or AAD Integration option is enabled.

If the AD Integration or AAD Integration option is not enabled, this is a finding.</check-content></check></Rule></Group><Group id="V-283930"><title>SRG-APP-000166</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283930r1206893_rule" weight="10.0" severity="medium"><version>FLYS-00-000070</version><title>Fly Server must enforce password complexity by requiring that at least one uppercase character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88400r1206892_fix">Configure the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Set the Password Complexity setting to Custom, select four checkboxes to enforce that the password must contain four character types: uppercase letters, lowercase letters, digits, and special characters.</fixtext><fix id="F-88400r1206892_fix" /><check system="C-88495r1206873_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Verify the Password Complexity setting.

If the Password complexity setting is not set to Custom, with checkboxes enabled for uppercase letters, lowercase letters, numerical digits, and special characters, this is a finding.</check-content></check></Rule></Group><Group id="V-283931"><title>SRG-APP-000167</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283931r1206876_rule" weight="10.0" severity="medium"><version>FLYS-00-000075</version><title>Fly Server must enforce password complexity by requiring that at least one lowercase character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88401r1206146_fix">Configure the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Set the Password Complexity setting to Custom, select four checkboxes to enforce that the password must contain four character types: uppercase letters, lowercase letters, digits, and special characters.</fixtext><fix id="F-88401r1206146_fix" /><check system="C-88496r1206875_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Verify the Password Complexity setting.

If the Password complexity setting is not set to Custom, with checkboxes enabled for uppercase letters, lowercase letters, numerical digits, and special characters, this is a finding.</check-content></check></Rule></Group><Group id="V-283932"><title>SRG-APP-000168</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283932r1206878_rule" weight="10.0" severity="medium"><version>FLYS-00-000080</version><title>Fly Server must enforce password complexity by requiring that at least one numeric character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 

Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88402r1206149_fix">Configure the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Set the Password Complexity setting to Custom, select four checkboxes to enforce that the password must contain four character types: uppercase letters, lowercase letters, digits, and special characters.</fixtext><fix id="F-88402r1206149_fix" /><check system="C-88497r1206877_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Verify the Password Complexity setting.

If the Password complexity setting is not set to Custom, with checkboxes enabled for uppercase letters, lowercase letters, numerical digits, and special characters, this is a finding.</check-content></check></Rule></Group><Group id="V-283933"><title>SRG-APP-000169</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283933r1206880_rule" weight="10.0" severity="medium"><version>FLYS-00-000085</version><title>Fly Server must enforce password complexity by requiring that at least one special character be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 

Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. 

Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88403r1206152_fix">Configure the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Set the Password Complexity setting to Custom, select four checkboxes to enforce that the password must contain four character types: uppercase letters, lowercase letters, digits, and special characters.</fixtext><fix id="F-88403r1206152_fix" /><check system="C-88498r1206879_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Verify the Password Complexity setting.

If the Password complexity setting is not set to Custom, with checkboxes enabled for uppercase letters, lowercase letters, numerical digits, and special characters, this is a finding.</check-content></check></Rule></Group><Group id="V-283934"><title>SRG-APP-000170</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283934r1206156_rule" weight="10.0" severity="medium"><version>FLYS-00-000090</version><title>Fly Server must require the change of at least eight of the total number of characters when passwords are changed.</title><description>&lt;VulnDiscussion&gt;If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.

The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88404r1206155_fix">Configure the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Set Change Password setting, check option "New password cannot have consecutively same 8 characters as previous password".</fixtext><fix id="F-88404r1206155_fix" /><check system="C-88499r1206154_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Verify the Change Password setting is set to "New password cannot have consecutively same 8 characters as previous password".

If this option is unchecked, this is a finding.</check-content></check></Rule></Group><Group id="V-283935"><title>SRG-APP-000173</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283935r1206159_rule" weight="10.0" severity="medium"><version>FLYS-00-000095</version><title>Fly Server must enforce 24 hours/1 day as the minimum password lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.

Restricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-004066</ident><fixtext fixref="F-88405r1206158_fix">Configure the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Check "Change the password once only within 24 hours" to set the Change Password setting.</fixtext><fix id="F-88405r1206158_fix" /><check system="C-88500r1206157_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager security configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; General Settings page, click the "Security Option" tab. 
- Verify the Change Password setting option "Change the password once only within 24 hours" is checked.

If this option is unchecked, this is a finding.</check-content></check></Rule></Group><Group id="V-283936"><title>SRG-APP-000190</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283936r1206162_rule" weight="10.0" severity="medium"><version>FLYS-00-000100</version><title>Fly Server must terminate sessions after 10 minutes.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 

Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001133</ident><fixtext fixref="F-88406r1206161_fix">Configure the Fly Server Manager session setting:
- Log on to Fly Server Manager with an admin account.
- On the Management &gt;&gt; General Settings page, click the "System Option" tab. 
- Set the session setting to "Session Will Expire After Inactivity for 10 minutes".</fixtext><fix id="F-88406r1206161_fix" /><check system="C-88501r1206160_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager session setting:
- Log on to Fly Server Manager with an admin account.
- On the Management &gt;&gt; General Settings page, click the "System Option" tab. 
- Verify the "Session Will Expire After Inactivity for:" setting is selected.

If this setting is not 10 minutes, this is a finding.</check-content></check></Rule></Group><Group id="V-283937"><title>SRG-APP-000291</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283937r1206895_rule" weight="10.0" severity="medium"><version>FLYS-00-000105</version><title>Fly Server must notify system administrators (SAs) and the information system security officer (ISSO) for all account-related events.</title><description>&lt;VulnDiscussion&gt;Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the SA and ISSO is one method for mitigating this risk.

To address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to off-load those access control functions and focus on core application features and functionality.

Satisfies: SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000320&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000015</ident><fixtext fixref="F-88407r1206164_fix">Configure the Fly Server Manager Notification setting:
- Log on to Fly Server Manager with admin account.
- On the Management &gt;&gt; Email Configuration, click the "Email Notification" tab.
- Select the "Send account management notification emails to:" setting.
- Save the setting.</fixtext><fix id="F-88407r1206164_fix" /><check system="C-88502r1206894_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server Manager Notification setting:
- Log on to Fly Server Manager with an admin account.
- On the Management &gt;&gt; Email Configuration, click the "Email Notification" tab. 
- Verify "Send account management notification emails to:" is selected.

If this setting is not set, this is a finding.</check-content></check></Rule></Group><Group id="V-283938"><title>SRG-APP-000150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283938r1223357_rule" weight="10.0" severity="high"><version>FLYS-00-000110</version><title>Fly Server must have no local accounts for the user interface.</title><description>&lt;VulnDiscussion&gt;To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. 

Multifactor authentication uses two or more factors to achieve authentication. 

Factors include:
(i) Something you know (e.g., password/PIN); 
(ii) Something you have (e.g., cryptographic identification device, token); or 
(iii) Something you are (e.g., biometric). 

A nonprivileged account is any information system account with authorizations of a nonprivileged user. 

Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.

Applications integrating with the DoW Active Directory and utilize the DoW CAC are examples of compliant multifactor authentication solutions.

Satisfies: SRG-APP-000150, SRG-APP-000023, SRG-APP-000024, SRG-APP-000065, SRG-APP-000148, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000178, SRG-APP-000180, SRG-APP-000183, SRG-APP-000318, SRG-APP-000345, SRG-APP-000389, SRG-APP-000391, SRG-APP-000392, SRG-APP-000394, SRG-APP-000395, SRG-APP-000400, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000410, SRG-APP-000427, SRG-APP-000580, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000740, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000880, SRG-APP-000885, SRG-APP-000890&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000766</ident><ident system="http://cyber.mil/cci">CCI-000015</ident><ident system="http://cyber.mil/cci">CCI-000016</ident><ident system="http://cyber.mil/cci">CCI-000044</ident><ident system="http://cyber.mil/cci">CCI-000764</ident><ident system="http://cyber.mil/cci">CCI-004045</ident><ident system="http://cyber.mil/cci">CCI-004046</ident><ident system="http://cyber.mil/cci">CCI-001941</ident><ident system="http://cyber.mil/cci">CCI-003627</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><ident system="http://cyber.mil/cci">CCI-000186</ident><ident system="http://cyber.mil/cci">CCI-000187</ident><ident system="http://cyber.mil/cci">CCI-000206</ident><ident system="http://cyber.mil/cci">CCI-000804</ident><ident system="http://cyber.mil/cci">CCI-000884</ident><ident system="http://cyber.mil/cci">CCI-002145</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-001967</ident><ident system="http://cyber.mil/cci">CCI-002007</ident><ident system="http://cyber.mil/cci">CCI-004068</ident><ident system="http://cyber.mil/cci">CCI-002009</ident><ident system="http://cyber.mil/cci">CCI-002010</ident><ident system="http://cyber.mil/cci">CCI-004083</ident><ident system="http://cyber.mil/cci">CCI-004085</ident><ident system="http://cyber.mil/cci">CCI-001632</ident><ident system="http://cyber.mil/cci">CCI-002470</ident><ident system="http://cyber.mil/cci">CCI-003628</ident><ident system="http://cyber.mil/cci">CCI-003629</ident><ident system="http://cyber.mil/cci">CCI-003747</ident><ident system="http://cyber.mil/cci">CCI-004047</ident><ident system="http://cyber.mil/cci">CCI-004058</ident><ident system="http://cyber.mil/cci">CCI-004059</ident><ident system="http://cyber.mil/cci">CCI-004060</ident><ident system="http://cyber.mil/cci">CCI-004061</ident><ident system="http://cyber.mil/cci">CCI-004062</ident><ident system="http://cyber.mil/cci">CCI-004063</ident><ident system="http://cyber.mil/cci">CCI-004064</ident><ident system="http://cyber.mil/cci">CCI-004065</ident><ident system="http://cyber.mil/cci">CCI-004066</ident><ident system="http://cyber.mil/cci">CCI-004192</ident><ident system="http://cyber.mil/cci">CCI-004901</ident><ident system="http://cyber.mil/cci">CCI-004902</ident><fixtext fixref="F-88408r1206167_fix">Once Active Directory is configured in FLYS-00-000055, remove all local users:
- On the Management &gt;&gt; Account Manager tab, remove all local users.</fixtext><fix id="F-88408r1206167_fix" /><check system="C-88503r1206166_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Once Active Directory is configured in FLYS-00-000055, all local users must be removed.

Check the Fly Server User settings:
- On the Management &gt;&gt; Account Manager tab, view the list of users.
- User accounts tied to an Active Directory domain will be defined as [domainname]\[username].

If any of the users listed are not tied to Active Directory, this is a finding.</check-content></check></Rule></Group><Group id="V-283939"><title>SRG-APP-000150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283939r1223358_rule" weight="10.0" severity="high"><version>FLYS-00-000115</version><title>Fly Server must have local authentication disabled.</title><description>&lt;VulnDiscussion&gt;To ensure accountability and prevent unauthenticated access, nonprivileged users must utilize multifactor authentication to prevent potential misuse and compromise of the system. 

Multifactor authentication uses two or more factors to achieve authentication. 

Factors include:
(i) Something you know (e.g., password/PIN); 
(ii) Something you have (e.g., cryptographic identification device, token); or 
(iii) Something you are (e.g., biometric). 

A nonprivileged account is any information system account with authorizations of a nonprivileged user. 

Network access is any access to an application by a user (or process acting on behalf of a user) where said access is obtained through a network connection.

Applications integrating with the DoW Active Directory and utilize the DoW CAC are examples of compliant multifactor authentication solutions.

Satisfies: SRG-APP-000150, SRG-APP-000023, SRG-APP-000024, SRG-APP-000065, SRG-APP-000148, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000178, SRG-APP-000180, SRG-APP-000183, SRG-APP-000318, SRG-APP-000345, SRG-APP-000389, SRG-APP-000391, SRG-APP-000392, SRG-APP-000394, SRG-APP-000395, SRG-APP-000400, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000410, SRG-APP-000427, SRG-APP-000580, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000740, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000880, SRG-APP-000885, SRG-APP-000890&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000766</ident><ident system="http://cyber.mil/cci">CCI-000015</ident><ident system="http://cyber.mil/cci">CCI-000016</ident><ident system="http://cyber.mil/cci">CCI-000044</ident><ident system="http://cyber.mil/cci">CCI-000764</ident><ident system="http://cyber.mil/cci">CCI-004045</ident><ident system="http://cyber.mil/cci">CCI-004046</ident><ident system="http://cyber.mil/cci">CCI-001941</ident><ident system="http://cyber.mil/cci">CCI-003627</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><ident system="http://cyber.mil/cci">CCI-000186</ident><ident system="http://cyber.mil/cci">CCI-000187</ident><ident system="http://cyber.mil/cci">CCI-000206</ident><ident system="http://cyber.mil/cci">CCI-000804</ident><ident system="http://cyber.mil/cci">CCI-000884</ident><ident system="http://cyber.mil/cci">CCI-002145</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-001967</ident><ident system="http://cyber.mil/cci">CCI-002007</ident><ident system="http://cyber.mil/cci">CCI-004068</ident><ident system="http://cyber.mil/cci">CCI-002009</ident><ident system="http://cyber.mil/cci">CCI-002010</ident><ident system="http://cyber.mil/cci">CCI-004083</ident><ident system="http://cyber.mil/cci">CCI-004085</ident><ident system="http://cyber.mil/cci">CCI-001632</ident><ident system="http://cyber.mil/cci">CCI-002470</ident><ident system="http://cyber.mil/cci">CCI-003628</ident><ident system="http://cyber.mil/cci">CCI-003629</ident><ident system="http://cyber.mil/cci">CCI-003747</ident><ident system="http://cyber.mil/cci">CCI-004047</ident><ident system="http://cyber.mil/cci">CCI-004058</ident><ident system="http://cyber.mil/cci">CCI-004059</ident><ident system="http://cyber.mil/cci">CCI-004060</ident><ident system="http://cyber.mil/cci">CCI-004061</ident><ident system="http://cyber.mil/cci">CCI-004062</ident><ident system="http://cyber.mil/cci">CCI-004063</ident><ident system="http://cyber.mil/cci">CCI-004064</ident><ident system="http://cyber.mil/cci">CCI-004065</ident><ident system="http://cyber.mil/cci">CCI-004066</ident><ident system="http://cyber.mil/cci">CCI-004192</ident><ident system="http://cyber.mil/cci">CCI-004901</ident><ident system="http://cyber.mil/cci">CCI-004902</ident><fixtext fixref="F-88409r1206170_fix">Once Active Directory is configured in FLYS-00-000055, disable local authentication:
- On the Management &gt;&gt; Account Manager tab, click "Authentication Manager".
- Disable the Local System slide-bar.</fixtext><fix id="F-88409r1206170_fix" /><check system="C-88504r1206169_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Once Active Directory is configured in FLYS-00-000055, local authentication must be disabled.
- On the Management &gt;&gt; Account Manager tab, click "Authentication Manager".

If the slide-bar for Local System is active, this is a finding.</check-content></check></Rule></Group><Group id="V-283941"><title>SRG-APP-000427</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283941r1223361_rule" weight="10.0" severity="medium"><version>FLYS-00-000140</version><title>Fly Server must only allow the use of DoW PKI established certificate authorities for verification of the establishment of protected sessions.</title><description>&lt;VulnDiscussion&gt;Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoW systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoW-approved CA, trust of this CA has not been established.

The DoW will only accept PKI certificates obtained from a DoW-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. 

This requirement focuses on communications protection for the application session rather than for the network packet.

This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs).

Satisfies: SRG-APP-000427, SRG-APP-000605&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002470</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-88411r1206896_fix">To replace the web certificate:
1. Prepare trusted certificate (pfx file).
2. Install the pfx certificate on the FLY Manager server.
3. Run the following command to replace the sslcert binding:
    netsh http delete sslcert ipport=0.0.0.0:&lt;FLY Manager Port default:20100&gt;
    netsh http add sslcert ipport=0.0.0.0:&lt;FLY Manager Port default:20100&gt; certhash=&lt;THUMBPRINT&gt; appid={b8a60d7f-c976-4416-b5af-f9e36cae4dae}
4. Update the value of the node "WebCertThumbprint" in the file …\FLY\Manager\Control\bin\TimerService.exe.config.
5. Restart "FLY Timer Service".

To replace the communication certificate:
1. Prepare trusted communication certificate (pfx file).
2. Install the pfx certificate on all FLY servers (agent and manager servers).
3. On the FLY Manager server, update the value of "CertThumbprint" in the file "…\FLY\Manager\Control\bin\TimerService.exe.config".
4. Restart "FLY Timer Service".
5. Log in to the agent servers.
6. Run the following command to replace the sslcert binding:
    netsh http delete sslcert ipport=0.0.0.0:&lt;FLY Agent Port Default:20101&gt;
    netsh http add sslcert ipport=0.0.0.0:&lt;FLY Agent Port Default:20101&gt; certhash=&lt;THUMBPRINT&gt; appid={b8a60d7f-c976-4416-b5af-f9e36cae4dae}
7. Update the thumbprint in the following config file:
    "agentSSLThumbprint" in  …\APElements\FLY\Agent\bin\AgentCommonVCEnv.config 
    "clientCertificate" and "serviceCertificate" in …\APElements\FLY\Agent\bin\AgentCommonWCFBehaviors.config
    "clientCertificate" and "serviceCertificate" in …\APElements\FLY\Agent\bin\CommonDataTransfer.config
8. Restart "FLY Agent Service".</fixtext><fix id="F-88411r1206896_fix" /><check system="C-88506r1223360_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>To validate the web certificate:
1. Run the following command to check sslcert:
    curl.exe -vI https://&lt;FLY host&gt;:&lt;port&gt;/
2. If there is "The certificate chain was issued by an authority that is not trusted." in the output, this is a finding.

To validate the communication certificate:
1. Log in to the agent server.
2. Open the file "…\APElements\FLY\Agent\bin\AgentCommonVCEnv.config" and find the value of "agentSSLThumbprint".
3. Open the certmgr and find the certificate. 
4. If the certificate is not a DoW PKI (or other AO-approved) certificate, this is a finding.</check-content></check></Rule></Group><Group id="V-283942"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-283942r1223359_rule" weight="10.0" severity="low"><version>FLYS-00-000150</version><title>Fly Server must be configured to use an enterprise database solution.</title><description>&lt;VulnDiscussion&gt;Configuring the application to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoW that reflects the most restrictive security posture consistent with operational requirements. 

Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the application, including the parameters required to satisfy other security control requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-88412r1206179_fix">Configure Fly Server to use a MS SQL server database when installing Fly Server manager. The MS-SQL server cannot reside on the same host as the Fly Server application.</fixtext><fix id="F-88412r1206179_fix" /><check system="C-88507r1206898_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server control database type in the configuration file of Fly Server manager:
Open "&lt;Program Files&gt;\APElements\FLY\Manager\Control\bin\TimerService.exe.config" with a text editor.

If the value of "ConfigDatabaseType" is" SQLite", the system has been configured to use built-in database when installing Fly Server manager. 

If the value of "ConfigDatabaseType" is "SQLite", this is a finding.

If the value of "ConfigDatabaseInstance" points to a path local to the host where Fly Server resided, this is a finding.</check-content></check></Rule></Group><Group id="V-284007"><title>SRG-APP-000329</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284007r1207111_rule" weight="10.0" severity="medium"><version>FLYS-00-000805</version><title>Fly Server must enforce a role-based access control (RBAC) policy over defined subjects and objects.</title><description>&lt;VulnDiscussion&gt;RBAC is an access control policy that restricts information system access to authorized users. Without these security policies, access control and enforcement mechanisms will not prevent unauthorized access.

Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control.

Pertains to Zero Trust.

Satisfies: SRG-APP-000329, SRG-APP-000233, SRG-APP-000328, SRG-APP-001040, SRG-APP-001045&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002169</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-001084</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-003650</ident><ident system="http://cyber.mil/cci">CCI-003652</ident><fixtext fixref="F-88476r1207111_fix">RBAC hierarchy is to be defined by the AO. Separation of duties must be configured.

Configure the Fly Server Role settings:
- Log on to Fly Server Manager with an admin account.
- On the Management &gt;&gt; Role Manager tab, configure two or more roles.

Configure the role assignments:
- On the Management &gt;&gt; Account Manager tab, assign a unique role to two or more users. Add users if necessary.</fixtext><fix id="F-88476r1207111_fix" /><check system="C-88571r1206371_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>RBAC hierarchy is to be defined by the authorizing official (AO). Separation of duties must be configured.

Check the Fly Server Role settings:
- Log on to Fly Server Manager with an admin account.
- On the Management &gt;&gt; Role Manager tab, view the configured roles.

If only one role exists, this is a finding.

Check the role assignments:
- On the Management &gt;&gt; Account Manager tab, view the Role column.

If only one role is assigned, this is a finding.

If only one user exists in the list of users, this is a finding.</check-content></check></Rule></Group><Group id="V-284030"><title>SRG-APP-000456</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284030r1206442_rule" weight="10.0" severity="medium"><version>FLYS-00-000950</version><title>Fly Server must automatically check for updates weekly.</title><description>&lt;VulnDiscussion&gt;Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. 

Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). 

This requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.

The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002605</ident><fixtext fixref="F-88499r1206441_fix">Configure the Fly Server update service configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; System Information page, click "Service Configuration".
- Set "Auto check new version" to "Weekly".
- Click "Save".</fixtext><fix id="F-88499r1206441_fix" /><check system="C-88594r1206440_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server update service configuration:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; System Information page, click "Service Configuration".
- Verify "Auto check new version" is set to "Weekly".

If the "Auto check new version" is not set to "Weekly", this is a finding.</check-content></check></Rule></Group><Group id="V-284031"><title>SRG-APP-000456</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284031r1206445_rule" weight="10.0" severity="medium"><version>FLYS-00-000951</version><title>Fly Server must be updated within 30 days of an update release.</title><description>&lt;VulnDiscussion&gt;Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. 

Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). 

This requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.

The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-002605</ident><fixtext fixref="F-88500r1206444_fix">Upgrade the system:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; System Information page, click "Check for a new version".
- If a new version is available, the number will be displayed. Note the version number.
- Compare the new version number with the version history documented on AvePoint's website.

Upgrade to the latest version within 30 days of release.</fixtext><fix id="F-88500r1206444_fix" /><check system="C-88595r1206443_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server release version:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; System Information page, click "Check for a new version".
- If a new version is available, the number will be displayed. Note the version number.
- Compare the new version number with the version history documented on AvePoint's website.

If no updated version information is displayed via "Check for a new version", the system is up to date. There is no finding.

If the available version number is more than 30 days old, this is a finding.</check-content></check></Rule></Group><Group id="V-284032"><title>SRG-APP-001035</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-284032r1206448_rule" weight="10.0" severity="high"><version>FLYS-00-000952</version><title>Fly Server must be a version supported by the vendor.</title><description>&lt;VulnDiscussion&gt;Unsupported software and systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.

Software and systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.

When maintenance updates and patches are no longer available, software is no longer considered supported and should be upgraded or decommissioned.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target AvePoint Fly Server </dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>AvePoint Fly Server </dc:subject><dc:identifier>5747</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-003376</ident><fixtext fixref="F-88501r1206447_fix">Upgrade the system to a supported version.</fixtext><fix id="F-88501r1206447_fix" /><check system="C-88596r1206446_chk"><check-content-ref href="AvePoint_Fly_Server__STIG.xml" name="M" /><check-content>Check the Fly Server release version:
- Log on to Fly Server with an admin account.
- On the Management &gt;&gt; System Information page, note the version number.
- Compare the version number with the product end of life information documented on AvePoint's website.

If the version information is displayed is not supported by the vendor, this is a finding.</check-content></check></Rule></Group></Benchmark>