V-254914

Discussion

Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Check Content

From Browser:

1. Navigate to the Tanium Console URI and log in using multi-factor authentication.

2. Click the lock to the left of the URI in the address bar.

3. Select the lock on the left of the URI in the address bar:
    a) Chrome: Select "Certificate".
    b) Edge: Select "Connection is Secure," and then select the certificate icon on the right.

4. Select the "Details" tab.

5. Scroll down through the details to find and select the "Enhanced Key Usage" field.

If there is no "Enhanced Key Usage" field, this is a finding.

In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified.

If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.

From Server:

1. Access the Tanium Server interactively.

2. Log on to the TanOS server with the tanadmin role.

3. Press "2" for "Tanium Operations Menu," and then press "Enter".

4. Press "7" for "Download SOAP Certificate," and then press "Enter".

5. In a browser with access to the Tanium Server Console, navigate to https://<tanium server>/pub/SOAPServer.crt.

6. Download the SOAPServer.crt file when prompted.

7. Double-click on the file to open the certificate.

8. Select the "Details" tab.

9. Scroll down through the details to find and select the "Enhanced Key Usage" field.

If there is no "Enhanced Key Usage" field, this is a finding.

In the bottom screen, verify "Server Authentication" and "Client Authentication" are both identified.

If "Server Authentication" and "Client Authentication" are not both identified, this is a finding.