← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279032

CAT II (Medium)

ColdFusion must require enforced authentication.

Rule ID

SV-279032r1171325_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000166

Discussion

ColdFusion must require each authorized user to authenticate and not allow multiple users. Without enforced authentication, there is no reliable method to verify the identity of users accessing the ColdFusion Administrator Console or other secured components of the application server. This lack of accountability can allow unauthorized users to gain elevated privileges, make unauthorized changes, or conceal malicious activity. Requiring a username and password for each user aligns with the principles of least privilege and ensures that access to sensitive configuration and management functions is appropriately controlled.

Check Content

1. From the Admin Console Landing Screen, navigate to Security &gt;&gt; Administrator.

2. If the "Separate user name and password authentication (allows multiple users)" is not selected, this is a finding.

Fix Text

1. From the Admin Console Landing Screen, navigate to Security &gt;&gt; Administrator.

2. Select "Separate user name and password authentication (allows multiple users)".

3. Select "Submit Changes".