{"stig":{"title":"Soaring Software Solutions TCMax 9.x Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-281366","ruleId":"SV-281366r1186136_rule","severity":"medium","ruleTitle":"TCMax must initiate a session lock after a 15-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to identify when a user's application session has idled and act to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock, but may be at the application level where the application interface window is secured instead.","checkContent":"Using an account of appropriate privileges to access TCMax, go to Settings >> Options. \n\nUnder \"Login and User Options\", if \"Automatically log user off after selected number of minutes.\" is not checked, and the \"Number of minutes of idle time will log off the logged in user\" is greater than 15, this is a finding.","fixText":"1. Go to Settings >> Options. \n\n2. Under \"Login and User Options\", check the box for \"Automatically log user off after selected number of minutes.\".\n\n3. Set the \"Number of minutes of idle time will log off the logged in user\" to \"15\" or fewer.\n\n4. Click \"Save\".","ccis":["CCI-000057"]},{"vulnId":"V-281367","ruleId":"SV-281367r1185141_rule","severity":"medium","ruleTitle":"TCMax must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\".\n\n3. Click the \"Account Lockout\" tab.\n\nIf the \"Enable Account Lockout Policy\" box is unchecked or if the \"Number of failed login attempts\" value is greater than \"3\", this is finding.\n\nIf the \"Timespan for failed logins (minutes)\" is greater than \"15\", this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy.\"\n\n3. Click the \"Account Lockout\" tab.\n\n4. Check the \"Enable Account Lockout Policy\" box.\n\n5. Set the \"Number of failed login attempts\" value to \"3\" or fewer.\n\n6. Set the \"Timespan for failed logins (Minutes)\" value to \"15\" or fewer.\n\n7. Click \"Save\".","ccis":["CCI-000044"]},{"vulnId":"V-281368","ruleId":"SV-281368r1185144_rule","severity":"medium","ruleTitle":"TCMax must protect audit information from any type of unauthorized read access.","description":"If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from any and all unauthorized access. This includes read, write, and copy access.\n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories.\n\nAdditionally, applications with user interfaces to audit records must not allow for the unfettered manipulation of or access to those records via the application. If the application provides access to the audit data, the application becomes accountable for ensuring audit information is protected from unauthorized access.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.","checkContent":"Launch TCMax and cancel/fail the login process.\n\nIf the Tools >> Log Search menu option is enabled, this is a finding.","fixText":"1. Go to Settings >> Options. \n\n2. Under \"Login and User Options\", enable the option to \"Do not allow access to log search screen without logging in\".\n\n3. Click \"Save\".","ccis":["CCI-000162"]},{"vulnId":"V-281369","ruleId":"SV-281369r1195319_rule","severity":"medium","ruleTitle":"TCMax must be configured to prohibit or restrict using organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.","description":"Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nApplication communication sessions are protected using transport encryption protocols, such as TLS, which provides web applications with a means to be able to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. \n\nThis requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). \n\nThis requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/service oriented architecture (SOA) requires using TLS mutual authentication (two-way/bidirectional).","checkContent":"1. Using a Windows account of appropriate privileges to access the file system, open the file C:\\ProgramData\\Soaring Software Solutions\\TCMax\\Configuration Files\\DatabaseConnections.xml.\n\n2. Review the connection string attribute for Data Source.\n\nIf the port specified in the Data Source is not approved by the PPSM CAL, this is a finding.","fixText":"Configure the connection to use ports approved by the PPSM CAL.","ccis":["CCI-000382"]},{"vulnId":"V-281370","ruleId":"SV-281370r1186141_rule","severity":"medium","ruleTitle":"TCMax must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following.\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options >> General tab.\n\n2. Under \"Login and User Options\", verify the following are enabled:\n- \"Require someone to be logged in before you can perform an issue or turn-in\".\n- \"Do not allow access to log search screen without logging in\".\n- \"Restrict reports to those with permission only\".\n- \"Hide user id field on all screens\".\n\nIf any of these options are disabled, this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options >> General tab.\n\n2. Under \"Login and User Options\", enable the following:\n- \"Require someone to be logged in before you can perform an issue or turn-in\".\n- \"Do not allow access to log search screen without logging in\".\n- \"Restrict reports to those with permission only\".\n- \"Hide user id field on all screens\".\n\n3. Click \"Save\".","ccis":["CCI-000764"]},{"vulnId":"V-281371","ruleId":"SV-281371r1186143_rule","severity":"medium","ruleTitle":"TCMax must enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\".\n\nOn the \"Password Enforcement\" tab, if the \"Enable Password Enforcement Policy\" box is unchecked or the \"Minimum Length\" value is less than \"15\", this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. \n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\". \n\n3. Check the \"Enable Password Enforcement Policy\" box.\n\n4. Set the \"Minimum Length\" value to \"15\" or greater.","ccis":["CCI-004066"]},{"vulnId":"V-281372","ruleId":"SV-281372r1186146_rule","severity":"medium","ruleTitle":"TCMax must enforce password complexity by requiring that at least one uppercase letter, one lowercase letter, and number, and one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nComplex passwords should consist of at least one uppercase letter, one lowercase letter, one number, and one special character.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.\n\nSatisfies: SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000870","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\". \n\nOn the Password Enforcement tab, if the \"Enable Password Enforcement Policy\" box or the \"Complex Password\" is unchecked, this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\". \n\n3. Check the \"Enable Password Enforcement Policy\" box and check the \"Complex Password\" box. \n\n4. Click \"Save\".","ccis":["CCI-004066"]},{"vulnId":"V-281373","ruleId":"SV-281373r1186149_rule","severity":"medium","ruleTitle":"TCMax must require the change of at least eight of the total number of characters when passwords are changed.","description":"If the application allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.\n\nThe number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\".\n\nIf the \"Enable Password Enforcement Policy\" box is unchecked, this is a finding.\n\nIf the \"Different Characters\" is a number less than \"8\", this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\". \n\n3. Check the \"Enable Password Enforcement Policy\".\n\n4. Set the \"Different Characters\" value to \"8\" or higher. \n\n5. Click \"Save\".","ccis":["CCI-004066"]},{"vulnId":"V-281374","ruleId":"SV-281374r1186152_rule","severity":"medium","ruleTitle":"TCMax must enforce 24 hours/1 day as the minimum password lifetime.","description":"Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.\n\nRestricting this setting limits the user's ability to change their password. Passwords must be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\".\n\nIf \"Enable Password Enforcement Policy\" is unchecked, this is a finding.\n\nIf \"Minimum Password Life (Hours)\" is less than \"24\", this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\".\n\n3. Ensure \"Enable Password Enforcement Policy\" is checked.\n\n4. Ensure \"Minimum Password Life (Hours)\" is set to \"24\".","ccis":["CCI-004066"]},{"vulnId":"V-281375","ruleId":"SV-281375r1186155_rule","severity":"medium","ruleTitle":"TCMax must enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.\n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised.\n\nThis requirement does not include emergency administration accounts, which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\".\n\nIf \"Enable Password Enforcement Policy\" is unchecked, this is a finding.\n\nIf \"Days Until Password Expires\" is more than \"60\", this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\". \n\n3. Ensure \"Enable Password Enforcement Policy\" is checked.\n\n4. Set \"Days Until Password Expires\" to \"60\" or fewer.","ccis":["CCI-004066"]},{"vulnId":"V-281376","ruleId":"SV-281376r1195320_rule","severity":"high","ruleTitle":"TCMax must protect the confidentiality and integrity of transmitted information.","description":"Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. \n\nCommunication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nAuthenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nApplication communication sessions are protected using transport encryption protocols such as TLS. TLS provides web applications with a means to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. \n\nThis requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and service-oriented architectures (SOAs). \n\nThis requirement addresses communications protection at the application session versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. \n\nWhen transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, TLS VPNs, or IPsec.\n\nSatisfies: SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000895, SRG-APP-000900, SRG-APP-000905","checkContent":"1. Using a Windows account of appropriate privileges to access the file system, open the file C:\\ProgramData\\Soaring Software Solutions\\TCMax\\Configuration Files\\DatabaseConnections.xml.\n\n2. Review the attribute for Encrypt. \n\nIf Encrypt = False, this is a finding.","fixText":"1. Open the file C:\\ProgramData\\Soaring Software Solutions\\TCMax\\Configuration Files\\DatabaseConnections.xml. \n\n2. Edit the file to set Encrypt = True. \n\nExample file below:\n<Root>\n  <PrimaryConnection DataSource=\"MicrosoftSqlServer\" DataProvider=\"SqlClient\">\n    <ConnectionString>Persist Security Info=False;Data Source=SERVER_NAME\\INSTANCE_NAME;Initial Catalog=DB_NAME;Integrated Security=SSPI;Encrypt=True;TrustServerCertificate=False;MultipleActiveResultSets=True;Connection Timeout=15</ConnectionString>\n  </PrimaryConnection>\n</Root>","ccis":["CCI-001184","CCI-002418","CCI-002421","CCI-002420","CCI-002422","CCI-004904","CCI-004906","CCI-004907"]},{"vulnId":"V-281377","ruleId":"SV-281377r1186158_rule","severity":"medium","ruleTitle":"TCMax must accept personal identity verification (PIV) credentials.","description":"Using PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDOD has mandated using the common access card (CAC) to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.\n\nSatisfies: SRG-APP-000391, SRG-APP-000392","checkContent":"Using an account of appropriate privileges to access TCMax, go to Settings >> Options.\n\nUnder \"Login and User Options\", if \"Link Windows IDs to TCMax user accounts\" is not checked, this is a finding.\n\nIf \"Close TCMax when Windows user account is locked\" is not checked, this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options.\n\n2. Under \"Login and User Options\", check the box for \"Link Windows IDs to TCMax user accounts\".\n\n3. Check the box for \"Close TCMax when Windows user account is locked\".\n\n4. Click \"Save\".","ccis":["CCI-001953","CCI-001954"]},{"vulnId":"V-281378","ruleId":"SV-281378r1195327_rule","severity":"medium","ruleTitle":"TCMax must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. \n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). \n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and also to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Ensure there is a policy in place to update all relevant security patches. \n\nIf no policy exists, this is a finding.","fixText":"Work with the system owner to develop a policy to ensure security patches and the application version are up to date. \n\nUpdates are posted to soaringsoftware.com and must be downloaded/installed by system owners. Soaring Software Solutions' newsletter details when new releases are available. \n\n1. Using a web browser, go to soaringsoftware.com. \n\n2. Click \"Contact\", then \"Contact Support\", and enter user information. In the message, request to be added to the newsletter distribution.","ccis":["CCI-002605"]},{"vulnId":"V-281379","ruleId":"SV-281379r1186169_rule","severity":"medium","ruleTitle":"For password-based authentication, TCMax must require immediate selection of a new password upon account recovery.","description":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\". \n\n3. Click the \"Account Lockout\" tab.\n\nIf the \"Enable Account Lockout Policy\" box is unchecked, or the \"Force Reset after User Reactivation\" box is unchecked, this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Click the \"Configure\" menu option at the top of the window, then click \"Account Security Policy\". \n\n3. Click the \"Account Lockout\" tab.\n\n4. Check the \"Enable Account Lockout Policy\" box.\n\n5. Check the \"Force Reset after User Reactivation\" box.\n\n6. Click \"Save\".","ccis":["CCI-004063"]},{"vulnId":"V-281380","ruleId":"SV-281380r1186164_rule","severity":"medium","ruleTitle":"TCMax must enforce a role-based access control (RBAC) policy over defined subjects and objects.","description":"RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization.","checkContent":"Role-Based Access Control hierarchy is to be defined by the authorizing authority (AO). Separation of duties must be configured.\n\n1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Evaluate the users using the combo box in the top right to change users.\n\n3. Ensure users have the minimal permissions required to perform their duties.\n\n4. Verify least two users have different role types such as \"admin\" and \"user\".\n\nIf only one assigned role exists, this is a finding.\n\nIf users have excessive permissions, this is a finding.","fixText":"Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured.\n\n1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.\n\n2. Assign minimal permissions to each user required to perform their job.\n\n3. Assign two or more roles (as defined by the AO) to at least two different user types.","ccis":["CCI-002169","CCI-000366"]},{"vulnId":"V-281381","ruleId":"SV-281381r1186170_rule","severity":"high","ruleTitle":"TCMax must be running a version supported by the vendor.","description":"Running the current version ensures any product updates have been addressed and tested by the vendor.","checkContent":"Inside the TCMax application, select \"Help\", then \"About\".\n\nIf the product version is not 9.8 or greater, this is a finding.","fixText":"Upgrade to the latest version of TCMax.","ccis":["CCI-000366"]},{"vulnId":"V-281382","ruleId":"SV-281382r1186167_rule","severity":"medium","ruleTitle":"TCMax must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following.\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and \n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options >> General tab.\n\n2. Under \"Login and User Options\", ensure \"Allow users to set item status without being logged in\" is unchecked.\n\nIf this option is enabled, this is a finding.","fixText":"1. Using an account of appropriate privileges to access TCMax, go to Settings >> Options.\n\n2. Under the Login and User Options, disable \"Allow users to set item status without being logged in\".\n\n3. Click \"Save\".","ccis":["CCI-000764"]}]}