← Back to Ivanti Connect Secure NDM Security Technical Implementation Guide

V-258600

CAT I (High)

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

Rule ID

SV-258600r997506_rule

STIG

Ivanti Connect Secure NDM Security Technical Implementation Guide

Version

V2R3

Discussion

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Satisfies: SRG-APP-000340-NDM-000288, SRG-APP-000380-NDM-000304, SRG-APP-000378-NDM-000302, SRG-APP-000133-NDM-000244, SRG-APP-000123-NDM-000240, SRG-APP-000121-NDM-000238, SRG-APP-000231-NDM-000271, SRG-APP-000408-NDM-000314, SRG-APP-000329-NDM-000287, SRG-APP-000153-NDM-000249, SRG-APP-000119-NDM-000236, SRG-APP-000120-NDM-000237, SRG-APP-000033-NDM-000212, SRG-APP-000516-NDM-000335, SRG-APP-000516-NDM-000336, SRG-APP-000177-NDM-000263, SRG-APP-000080-NDM-000220

Check Content

Verify Realms and Roles are configured as needed to meet mission requirements.

In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users".
2. In the "General" tab, under Servers >> Directory/Attribute, verify it does not say "none".
3. In the "Role Mapping" tab, under "when users meet these conditions", verify the following:
- "Group" must be used, and the local site's administrator active directory group must be selected and assigned to the ".Administrators" role. Note that this role could be different if using something other than the default ".Administrators" role.
- Verify separate usernames are not used. Verify an allow-all username of * is used.

If a realm or role is not configured to prevent nonprivileged users from executing privileged functions, this is a finding.

Fix Text

Configure Realms and Roles as needed to meet mission requirements.

Note: The ".Administrators" role is a default role name, other administrator role names can be used. Groups must be used, separate usernames or an allow-all username of * is not acceptable.

In the ICS Web UI, navigate to Administrators >> Admin Realms >> Admin Realms.
1. Click the admin realm that is currently being used on the ICS for administrator logins. By default, it is "Admin Users".
2. In the "General" tab, under Servers >> Directory/Attribute, select the previously configured LDAP Directory. If none is configured, follow vendor supplied instructions for creating an LDAP Authentication Server.
3. In the "Role Mapping" tab, under "when users meet these conditions", select new rule.
4. Under rule based on, select "Group Membership".
5. Give the rule a name.
6. Select "is".
7. Provide the exact group name in the text box. This name must match the "CN=" attribute name. For example, if the group is "CN=ivanti.adm.group" then add the "ivanti.adm.group" to the text box.
8. Under "then assign these roles", select the admin role used by ICS for admin logins. By default this is ".Administrators".
9. Click "Save Changes".
10. Under "Role Mapping", if there are more roles needed for more specific role-based access to the ICS, configure more of them here. 
11. Once complete, click "Save Changes".