STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-2 — Separation of System and User Functionality

CCI-001082

Definition

Separate user functionality, including user interface services, from system management functionality.

Parent Control

SC-2Separation of System and User FunctionalitySystem and Communications Protection

Linked STIG Checks (141)

V-279050CAT IIColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.Adobe ColdFusion Security Technical Implementation Guide V-279064CAT IIThe ColdFusion Administrator Console must be hosted on a management network.Adobe ColdFusion Security Technical Implementation Guide V-279065CAT IIColdFusion must have sandboxes enabled and defined.Adobe ColdFusion Security Technical Implementation Guide V-279066CAT IIColdFusion must separate the hosted application from the web server.Adobe ColdFusion Security Technical Implementation Guide V-274001CAT IIAmazon Linux 2023 must restrict access to the kernel message buffer.Amazon Linux 2023 Security Technical Implementation Guide V-274002CAT IIAmazon Linux 2023 must prevent kernel profiling by nonprivileged users.Amazon Linux 2023 Security Technical Implementation Guide V-274003CAT IIAmazon Linux 2023 must restrict exposed kernel pointer addresses access.Amazon Linux 2023 Security Technical Implementation Guide V-274004CAT IIAmazon Linux 2023 must disable access to network bpf system call from nonprivileged processes.Amazon Linux 2023 Security Technical Implementation Guide V-274005CAT IIAmazon Linux 2023 must restrict usage of ptrace to descendant processes.Amazon Linux 2023 Security Technical Implementation Guide V-268160CAT IINixOS must implement nonexecutable data to protect its memory from unauthorized code execution.Anduril NixOS Security Technical Implementation Guide V-214247CAT IIApache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214248CAT IApache web server application directories, libraries, and configuration files must only be accessible to privileged users.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214249CAT IIThe Apache web server must separate the hosted applications from hosted Apache web server management functionality.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214322CAT IApache web server application directories, libraries, and configuration files must only be accessible to privileged users.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214329CAT IIApache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214330CAT IIThe Apache web server must separate the hosted applications from hosted Apache web server management functionality.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214372CAT IIApache web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-214373CAT IAnonymous user access to the Apache web server application directories must be prohibited.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-214374CAT IIThe Apache web server must separate the hosted applications from hosted Apache web server management functionality.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222969CAT IIAccess to JMX management interface must be restricted.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222970CAT IIAccess to Tomcat manager application must be restricted.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222574CAT IIThe application user interface must be either physically or logically separated from data storage and management interfaces.Application Security and Development Security Technical Implementation Guide V-204761CAT IIThe application server must separate hosted application functionality from application server management functionality.Application Server Security Requirements Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-251586CAT IIAll installation-delivered IDMS USER-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251587CAT IIAll installation-delivered IDMS DEVELOPER-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251588CAT IIAll installation-delivered IDMS DBADMIN-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251589CAT IIAll installation-delivered IDMS DCADMIN-level tasks must be properly secured.CA IDMS Security Technical Implementation Guide V-251590CAT IIAll installation-delivered IDMS User-level programs must be properly secured.CA IDMS Security Technical Implementation Guide V-251591CAT IIAll installation-delivered IDMS Developer-level Programs must be properly secured.CA IDMS Security Technical Implementation Guide V-251592CAT IIAll installation-delivered IDMS Database-Administrator-level programs must be properly secured.CA IDMS Security Technical Implementation Guide V-251593CAT IIAll installation-delivered IDMS DC-Administrator-level programs must be properly secured.CA IDMS Security Technical Implementation Guide V-269422CAT IIAlmaLinux OS 9 must disable access to network bpf system call from nonprivileged processes.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269423CAT IIAlmaLinux OS 9 must restrict exposed kernel pointer addresses access.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269424CAT IIAlmaLinux OS 9 must restrict usage of ptrace to descendant processes.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269425CAT IIAlmaLinux OS 9 must restrict access to the kernel message buffer.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269426CAT IIAlmaLinux OS 9 must prevent kernel profiling by nonprivileged users.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233114CAT IIThe container platform must separate user functionality (including user interface services) from information system management functionality.Container Platform Security Requirements Guide V-233588CAT IIPostgreSQL must separate user functionality (including user interface services) from database management functionality.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261898CAT IIPostgreSQL must separate user functionality (including user interface services) from database management functionality.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206564CAT IIThe DBMS must separate user functionality (including user interface services) from database management functionality.Database Security Requirements Guide V-224176CAT IIThe EDB Postgres Advanced Server must separate user functionality (including user interface services) from database management functionality.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-259257CAT IIThe EDB Postgres Advanced Server must separate user functionality (including user interface services) from database management functionality.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-203655CAT IIThe operating system must separate user functionality (including user interface services) from operating system management functionality.General Purpose Operating System Security Requirements Guide V-278973CAT IIThe operating system must separate user functionality (including user interface services) from operating system management functionality.General Purpose Operating System Security Requirements Guide V-255264CAT IISSMC web server application, libraries, and configuration files must only be accessible to privileged users.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-213703CAT IIDB2 must separate user functionality (including user interface services) from database management functionality.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-255878CAT IIThe WebSphere Application Servers must not be in the DMZ.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-259732CAT IIAccess to IBM Security zSecure program resources must be limited to authorized users.IBM zSecure Suite Security Technical Implementation Guide V-237922CAT IICA VM:Secure product ADMIN GLOBALS command must be restricted to systems programming personnel.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-213535CAT IIThe JBoss server must separate hosted application functionality from application server management functionality.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-242417CAT IIKubernetes must separate user functionality.Kubernetes Security Technical Implementation Guide V-213854CAT IISQL Server must be configured to separate user functionality (including user interface services) from database management functionality.MS SQL Server 2014 Instance Security Technical Implementation Guide V-205517CAT IIThe Mainframe Product must separate user functionality (including user interface services) from information system management functionality.Mainframe Product Security Requirements Guide V-253705CAT IIMariaDB must separate user functionality (including user interface services) from database management functionality.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220370CAT IIMarkLogic Server must separate user functionality (including user interface services) from database management functionality.MarkLogic Server v9 Security Technical Implementation Guide V-255338CAT IIAzure SQL Database must separate user functionality (including user interface services) from database management functionality.Microsoft Azure SQL Database Security Technical Implementation Guide V-276250CAT IIAzure SQL Managed Instance must separate user functionality (including user interface services) from database management functionality.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-272886CAT IIRoles for use with Microsoft Defender for Endpoint (MDE) must be configured within Entra ID.Microsoft Defender for Endpoint Security Technical Implementation Guide V-272887CAT IIMicrosoft Defender for Endpoint (MDE) must be configured for a least privilege model by implementing Unified Role-Based Access Control (RBAC).Microsoft Defender for Endpoint Security Technical Implementation Guide V-228373CAT IIExchange Mailbox databases must reside on a dedicated partition.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259592CAT IIExchange queue database must reside on a dedicated partition.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259669CAT IIExchange Mailbox databases must reside on a dedicated partition.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-218802CAT IIIS 10.0 Web server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218803CAT IIThe IIS 10.0 web server must separate the hosted applications from hosted web server management functionality.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218750CAT IAnonymous IIS 10.0 website access accounts must be restricted.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-243454CAT IA Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.Microsoft Windows PAW Security Technical Implementation Guide V-243456CAT IIIn a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources.Microsoft Windows PAW Security Technical Implementation Guide V-221175CAT IIMongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252140CAT IIMongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265924CAT IIMongoDB must separate user functionality (including user interface services) from database management functionality.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279355CAT IIMongoDB must separate user functionality (including user interface services) from database management functionality.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-254117CAT IINutanix AOS must separate hosted application functionality from application server management functionality.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-254118CAT IINutanix AOS must configure network traffic segmentation when using Disaster Recovery Services.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-279486CAT IINutanix VMM must separate user functionality (including user interface services) from VMM management functionality.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279526CAT IIAll guest VM network communications must be implemented using virtual network devices provisioned and serviced by the VMM.Nutanix Acropolis Application Server Security Technical Implementation Guide V-219796CAT IIThe DBMS must separate user functionality (including user interface services) from database management functionality.Oracle Database 11.2g Security Technical Implementation Guide V-220312CAT IIThe DBMS must separate user functionality (including user interface services) from database management functionality.Oracle Database 12c Security Technical Implementation Guide V-270572CAT IIOracle Database must separate user functionality (including user interface services) from database management functionality.Oracle Database 19c Security Technical Implementation Guide V-221495CAT IOHS accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-271745CAT IIOL 9 must restrict access to the kernel message buffer.Oracle Linux 9 Security Technical Implementation Guide V-271746CAT IIOL 9 must prevent kernel profiling by nonprivileged users.Oracle Linux 9 Security Technical Implementation Guide V-271747CAT IIOL 9 must restrict exposed kernel pointer addresses access.Oracle Linux 9 Security Technical Implementation Guide V-271748CAT IIOL 9 must disable access to network bpf system call from nonprivileged processes.Oracle Linux 9 Security Technical Implementation Guide V-271749CAT IIOL 9 must restrict usage of ptrace to descendant processes.Oracle Linux 9 Security Technical Implementation Guide V-235150CAT IIThe MySQL Database Server 8.0 must separate user functionality (including user interface services) from database management functionality.Oracle MySQL 8.0 Security Technical Implementation Guide V-235983CAT IIOracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.Oracle WebLogic Server 12c Security Technical Implementation Guide V-253524CAT IIUsers requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-214122CAT IIPostgreSQL must separate user functionality (including user interface services) from database management functionality.PostgreSQL 9.x Security Technical Implementation Guide V-254570CAT IIRancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-281305CAT IIRHEL 10 must restrict access to the kernel message buffer.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281306CAT IIRHEL 10 must prevent kernel profiling by nonprivileged users.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281308CAT IIRHEL 10 must restrict exposed kernel pointer address access.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281316CAT IIRHEL 10 must restrict usage of ptrace to descendant processes.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281335CAT IIRHEL 10 must disable access to the network bpf system call from nonprivileged processes.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-257797CAT IIRHEL 9 must restrict access to the kernel message buffer.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257798CAT IIRHEL 9 must prevent kernel profiling by nonprivileged users.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257800CAT IIRHEL 9 must restrict exposed kernel pointer addresses access.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257810CAT IIRHEL 9 must disable access to network bpf system call from nonprivileged processes.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257811CAT IIRHEL 9 must restrict usage of ptrace to descendant processes.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257545CAT IIOpenShift must separate user functionality (including user interface services) from information system management functionality.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257545CAT IIOpenShift must separate user functionality (including user interface services) from information system management functionality.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251235CAT IIRedis Enterprise DBMS must separate user functionality (including user interface services) from database management functionality.Redis Enterprise 6.x Security Technical Implementation Guide V-251236CAT IAccess to the Redis Enterprise control plane must be restricted.Redis Enterprise 6.x Security Technical Implementation Guide V-206738CAT IIThe SDN controller must be configured to separate tenant functionality from system management functionality.SDN Controller Security Requirements Guide V-241033CAT IIThe Tanium Module server must be installed on a separate system.Tanium 7.0 Security Technical Implementation Guide V-234094CAT IIThe Tanium Module server must be installed on a separate system.Tanium 7.3 Security Technical Implementation Guide V-254917CAT IIThe Tanium application must separate user functionality (including user interface services) from information system management functionality.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253784CAT IIThe Tanium application must separate user functionality (including user interface services) from information system management functionality.Tanium 7.x Security Technical Implementation Guide V-282505CAT IITOSS 5 must restrict access to the kernel message buffer.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282506CAT IITOSS 5 must prevent kernel profiling by nonprivileged users.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282507CAT IITOSS 5 must restrict exposed kernel pointer addresses access.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282508CAT IITOSS 5 must disable access to network bpf system call from nonprivileged processes.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282509CAT IITOSS 5 must restrict usage of ptrace to descendant processes.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240066CAT IHAProxy must prohibit anonymous users from editing system files.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240251CAT ILighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240252CAT ILighttpd must have the latest version installed.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240808CAT Itc Server HORIZON accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240809CAT Itc Server VCO accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240810CAT Itc Server VCAC accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240811CAT Itc Server HORIZON web server application directories must not be accessible to anonymous user.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240812CAT Itc Server VCO web server application directories must not be accessible to anonymous user.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240813CAT Itc Server VCAC web server application directories must not be accessible to anonymous user.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-241663CAT Itc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241664CAT Itc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241665CAT Itc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241666CAT Itc Server UI web server application directories must not be accessible to anonymous user.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241667CAT Itc Server CaSa web server application directories must not be accessible to anonymous user.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241668CAT Itc Server API web server application directories must not be accessible to anonymous user.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256653CAT IIVAMI server binaries and libraries must be verified for their integrity.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256689CAT IIESX Agent Manager directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256722CAT IILookup Service directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256627CAT IIPerformance Charts directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256761CAT IIThe Security Token Service directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256794CAT IIThe vSphere UI directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256335CAT IIThe vCenter Server users must have the correct roles assigned.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258921CAT IIThe vCenter Server user roles must be verified.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207401CAT IIThe VMM must separate user functionality (including user interface services) from VMM management functionality.Virtual Machine Manager Security Requirements Guide V-206393CAT IIWeb server accounts accessing the directory tree, the shell, or other operating system functions and utilities must only be administrative accounts.Web Server Security Requirements Guide V-206394CAT IIAnonymous user access to the web server application directories must be prohibited.Web Server Security Requirements Guide V-206395CAT IIThe web server must separate the hosted applications from hosted web server management functionality.Web Server Security Requirements Guide