Omnissa WS1 UEM Server Security Technical Implementation Guide

Overview

VersionDateFinding Count (15)Downloads
V1R12026-06-15CAT I (High): 0CAT II (Medium): 15CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of War (DoW) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
ClassifiedPublicSensitive
I - Mission Critical ClassifiedI - Mission Critical PublicI - Mission Critical Sensitive
II - Mission Support ClassifiedII - Mission Support PublicII - Mission Support Sensitive
III - Administrative ClassifiedIII - Administrative PublicIII - Administrative Sensitive

Findings - MAC III - Administrative Classified

Finding IDSeverityTitleDescription
V-284249
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allow...
V-284251
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must initiate a session lock after a 15-minute period of inactivity.A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst...
V-284254
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must be configured to use a directory service for centralized account management.Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk o...
V-284260
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, ...
V-284275
LOWMEDIUMHIGH
The UEM SRG must alert the information system security officer and system administrator (at a minimum) in the event of an audit processing failure.It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio...
V-284282
LOWMEDIUMHIGH
The firewall protecting the Omnissa WS1 UEM server platform must be configured so only DoW-approved ports, protocols, and services are enabled. (Refer to the DoW Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoW-approved ports, protocols, and services).All ports, protocols, and services used on DoW networks must be approved and registered via the DoW PPSM process. This is to ensure a risk assessment ...
V-284284
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must be configured to require a One-Time Password (OTP) or Short Message Service (SMS) two-factor authentication for local accounts.DoW sites may implement one "break-glass" WS1 UEM local account for the purpose of server recovery. This account must use two-factor authentication t...
V-284305
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must be configured to transfer Omnissa WS1 UEM server logs to another server for storage, analysis, and reporting. Note: Omnissa WS1 UEM server logs include logs of UEM events and logs transferred to the Omnissa WS1 UEM server by UEM agents of managed devices.Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information...
V-284306
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must be configured to record time stamps for audit records in Coordinated Universal Time (UTC).If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps genera...
V-284320
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - Query connectivity status. - Query the current version of the managed device firmware/software. - Query the current version of installed mobile applications. - Read audit logs kept by the managed device.Without verification, security functions may not operate correctly and this failure may go unnoticed. Security function is defined as the hardware...
V-284349
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must enforce a minimum 15-character password length.The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complex...
V-284350
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must prohibit password reuse for a minimum of five generations.Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To me...
V-284351
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must enforce password complexity by requiring at least one uppercase character to be used.Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure...
V-284354
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must enforce a 60-day maximum password lifetime restriction.Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minim...
V-284358
LOWMEDIUMHIGH
The Omnissa WS1 UEM server must be configured to have at least one user in defined administrator roles.Having several administrative roles for the UEM server supports separation of duties. This allows administrator-level privileges to be granted granula...