STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Nutanix Acropolis Application Server Security Technical Implementation Guide

V-279434

CAT I (High)

Nutanix AOS must use multifactor authentication for access to privileged and nonprivileged accounts by enabling common access card (CAC) authentication.

Rule ID

SV-279434r1192622_rule

STIG

Nutanix Acropolis Application Server Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000765CCI-004068CCI-002009CCI-000187CCI-002010CCI-004046

Discussion

Multifactor authentication (MFA) is defined as using two or more factors to achieve authentication. MFA creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement the attacker must have something from the user, such as a token, or to biometrically be the user. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition. A privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface. When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled. Satisfies: SRG-APP-000149-AS-000102, SRG-APP-000401-AS-000243, SRG-APP-000402-AS-000247, SRG-APP-000177-AS-000126, SRG-APP-000403-AS-000248

Check Content

Verify the Nutanix AOS uses a centralized AAA server that uses DOD PKI to authenticate individual users.

1. Log in to Prism Element.
2. Click the gear icon in the upper-right corner.
3. Navigate to the Authentication settings.

If CAC authentication is not enabled, this is a finding.

Fix Text

Configure the Nutanix AOS to use a centralized AAA server that uses DOD PKI to authenticate individual users.

1. Log in to Prism Element.
2. Click the gear icon in the upper-right corner.
3. Navigate to the Authentication settings. 
4. Select the "Configure Service Account" check box and then complete the following in the indicated fields:
a. Select the authentication directory that contains the CAC users to be authenticated. This list includes the directories configured on the Directory List tab.
b. Service Username: Enter the username in the username@domain.com format the web console will use to log in to the Active Directory.
c. Service Password: Enter the password for the service username.
d. Click "Enable CAC".