17:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"ISEC7 Sphere Security Technical Implementation Guide"}],false,["$","$L21",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","3","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Aug 20, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"ISEC7_Sphere","children":"ISEC7_Sphere"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":34}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",2]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",31]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",1]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=ISEC7%20Sphere%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=ISEC7%20Sphere%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=ISEC7%20Sphere%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_ISEC7_Sphere_V3R1_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L22",null,{"checks":[{"id":"42a96985-01ee-473c-8ec6-e5db8d96d63e","vulnId":"V-224760","severity":"medium","ruleTitle":"The ISEC7 SPHERE must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.","description":"Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to denial-of-service (DoS) attacks.\n\nThis requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. \n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nVerify the maxConnections setting is set according to organizational guidelines.\nVerify the maxThreads setting is set according to organizational guidelines.\n\nIf the maxConnections setting is not set according to organizational guidelines or the maxThreads setting is not set according to organizational guidelines, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nSet the maxConnections setting according to organizational guidelines.\nSet the maxThreads setting according to organizational guidelines.\nRestart the ISEC7 SPHERE Web service."},{"id":"8fea1fe1-2f46-4380-9f95-20d355fe49e3","vulnId":"V-224761","severity":"medium","ruleTitle":"The ISEC7 SPHERE must initiate a session lock after a 15-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead.","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nValidate the session timeout has been set to the correct value.\n\nAlternatively, allow the console to sit for 15 minutes and confirm the user is prompted to login again when attempting to navigate to a new screen.\n\nIf the SPHERE Console timeout has not been set for 15 minutes or less, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nSet the session timeout to the correct value of 15 minutes or less."},{"id":"faaddc8c-988c-4068-87d7-b844f89e70bf","vulnId":"V-224762","severity":"medium","ruleTitle":"The ISEC7 SPHERE must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.","description":"Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol and thus are in scope for this requirement. NIST SP 800-52 provides guidance for client negotiation on either DOD-only or on public-facing servers.","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nVerify \"protocols\" is set to +TLSv1.2, +TLSv1.3.\n\nIf \"protocols\" is not set to +TLSv1.2 or higher, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nUsing the dropdown menu for protocols, select +TLSv1.2, +TLSv1.3.\nClick \"Update\".\nRestart the ISEC7 SPHERE Web service."},{"id":"403e52a8-201b-49bf-9c04-ed97de1819db","vulnId":"V-224763","severity":"medium","ruleTitle":"The ISEC7 SPHERE must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the ISEC7 SPHERE.","description":"$23","checkContent":"Log in to the ISEC7 SPHERE Console.\nNote if the appropriate Standard mandatory DOD Notice and Consent Banner is displayed.\n\nAlternatively, if already logged in to the ISEC7 SPHERE Console, navigate to Administration >> User Self Service >> Page Customizations.\nVerify that a Page Customization exists to display the Standard mandatory DOD Notice and Consent Banner.\n\nIf a Page Customization does not exist, or it does not contain the required DOD banner, this is a finding.","fixText":"Set the session timeout to the correct value of 15 minutes or less."},{"id":"4186d961-895e-4030-a900-e4821c3138bf","vulnId":"V-224764","severity":"medium","ruleTitle":"The ISEC7 SPHERE server must be configured to have at least one user in the following Administrator roles: Security Administrator, Site Administrator, and Help Desk User.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. \n \nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.","checkContent":"Log in to the ISEC7 SPHERE console.\nNavigate to Administration >> Configuration >> Access Permissions.\nVerify for each Role (Security Administrator, Site Administrator, and Help Desk User) that at least one user or AD group has been assigned.\n\nIf for each Role (Security Administrator, Site Administrator, Help Desk User) there is not at least one user (or AD group) assigned, this is a finding.","fixText":"Log in to the ISEC7 SPHERE console.\nNavigate to Administration >> Configuration >> Access Permissions.\nAssign at least one user or AD group to each of the following roles: Security Administrator, Site Administrator, and Help Desk User."},{"id":"75203259-5b34-40b8-a157-a8efdd49f9ab","vulnId":"V-224765","severity":"medium","ruleTitle":"The ISEC7 SPHERE must alert the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","checkContent":"Log in to the ISEC7 SPHERE console.\nNavigate to Administration >> Configuration >> Notifications >> Recipient Lists.\nSelect \"Edit\" next to the Systems Notifications.\nVerify the email address or distribution list has been added.\n\nIf a recipient email address or distribution list has not been added to System Notifications, this is a finding.","fixText":"Log in to the ISEC7 SPHERE console.\nNavigate to Administration >> Configuration >> Notifications >> Recipient Lists.\nSelect \"Edit\" next to the Systems Notifications.\nUnder Add recipient, select \"Email\" as the Type and enter the correct email address of recipients.\nSelect \"Add\"."},{"id":"a140ce8d-575b-4998-80da-82c176f98456","vulnId":"V-224766","severity":"medium","ruleTitle":"The ISEC7 SPHERE must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 SPHERE components, and offload audit records onto a different system or media than the system being audited.","description":"Protection of log data includes assuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to assure in the event of a catastrophic system failure, the audit records will be retained. \n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.\n\nThis requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions.\n\nSatisfies: SRG-APP-000125, SRG-APP-000356, SRG-APP-000358","checkContent":"Open the central log repository and verify the ISEC7 logs have been written to the location of the log server.\n\nLog in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nVerify that the log directory path is set to the desired location.\n\nAlternatively:\n\nOn the ISEC7 SPHERE server, browse to the install directory.\nDefault is %Install Drive%/Program Files/ISEC7 SPHERE.\nSelect the conf folder.\nOpen config.properties and verify the logPath is set to the desired location.\n\nIf ISEC7 SPHERE logs are not written to an audit log management server, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\n\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\n\nSet the log directory path to the desired location.\n\nAlternatively:\n\nOn the ISEC7 SPHERE server, browse to the install directory.\nDefault is %Install Drive%/Program Files/ISEC7 SPHERE.\nSelect the conf folder.\nOpen config.properties and set the logPath to the desired location of the log server."},{"id":"a210a733-65b5-4c7f-ac36-16d6d7cedace","vulnId":"V-224767","severity":"high","ruleTitle":"ISEC7 SPHERE must disable or delete local account created during application installation and configuration.","description":"The ISEC7 local account password complexity controls do not meet DOD requirements; therefore, admins have the capability to configure the account out of compliance, which could allow attacker to gain unauthorized access to the server and access to command MDM servers.","checkContent":"Log in to the ISEC7 SPHERE console.\nNavigate to Administration >> Configuration >> Account Management >> Users.\nSelect \"Edit\" next to the local account Admin.\nVerify \"Log in disabled\" has been selected.\n\nIf \"Log in disabled\" has not been selected, this is a finding.","fixText":"Log in to the ISEC7 SPHERE console.\nNavigate to Administration >> Configuration >> Account Management >> Users.\nSelect \"Edit\" next to the local account Admin.\nCheck \"Log in disabled\" for the account.\nClick \"Save\"."},{"id":"f7e819cd-720b-42d7-a7ab-e8972ca71630","vulnId":"V-224768","severity":"medium","ruleTitle":"When using PKI-based authentication for user access, the ISEC7 SPHERE must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.","description":"$24","checkContent":"Log in to the server(s) hosting the ISEC7 SPHERE application.\nOpen the Microsoft Management Console and add the Local Computer Certificates snap-in.\nOpen the Trusted Root Certification Authorities >> Certificates.\nVerify the DOD Root PKI Certificates Authorities have been added to the server.\n\nIf the DOD Root PKI Certificates Authorities have not been added to the server, this is a finding.","fixText":"Log in to the server(s) hosting the ISEC7 SPHERE application.\nOpen the Microsoft Management Console and add the Local Computer Certificates snap-in.\nOpen the Trusted Root Certification Authorities >> Certificates.\nInstall the DOD Root PKI Certificates Authorities to the server."},{"id":"2a94fe82-1164-422b-8bd0-054b6e34fd60","vulnId":"V-224769","severity":"low","ruleTitle":"The ISEC7 SPHERE must accept Personal Identity Verification (PIV) credentials.","description":"The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access.\n\nDOD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.","checkContent":"Log in to the ISEC7 SPHERE Console.\n\nNavigate to Administration >> Configuration >> Settings.\n\nVerify the CAC login box has been checked.\n\nOn the ISEC7 SPHERE server, browse to the install directory.\nDefault is %Install Drive%/Program Files/ISEC7 SPHERE\nSelect the conf folder.\nOpen config.properties and confirm the following lines exist:\n\n cacUserUIDRegex=^CN=[^0-9]*\\\\.([0-9]+),\n cacUserUIDProperty=UserPrincipalName\n\nBrowse to %Install Drive%/Program Files >> ISEC7 SPHERE >> Tomcat >> conf\nConfirm the server.xml file has clientAuth=\"required\" under the Connection.\n\nIf the required commands do not exist in config.properties or if clientAuth does not =\"required\" in the server.xml file, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> LDAP.\nCheck \"Also enable user certificate logins. e.g. from smart cards (CAC)\".\nCheck \"Only allow certificates with extended key usage for smartcard logon (1.3.6.1.4.1.311.20.2.2)\".\n\nBrowse to %Install Drive%/Program Files >> ISEC7 SPHERE >> Tomcat >> conf.\nOpen the server.xml file and add clientAuth=\"required\" under the Connection."},{"id":"a27af3fc-d4c7-46c9-a97d-bf3bc8feb57e","vulnId":"V-224770","severity":"medium","ruleTitle":"Before establishing a local, remote, and/or network connection with any endpoint device, the ISEC7 SPHERE must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.","description":"$25","checkContent":"$26","fixText":"$27"},{"id":"8e82031f-491d-4bfe-9120-b38b8b5a0759","vulnId":"V-224771","severity":"medium","ruleTitle":"The ISEC7 SPHERE must allow the use of DOD PKI established certificate authorities for verification of the establishment of protected sessions.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.\n\nThe DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. \n\nThis requirement focuses on communications protection for the application session rather than for the network packet.\n\nThis requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).","checkContent":"Log in to the ISEC7 SPHERE Server.\nNavigate to %Install Drive%/Program Files/ISEC7 SPHERE/tomcat/bin.\nRun tomcat9w.bat and select the JAVA tab in the window that opens.\nUnder \"Java options\" verify \"-Djavax.net.ssl.trustStoreType=Windows-ROOT\" is listed.\n\nIf \"-Djavax.net.ssl.trustStoreType=Windows-ROOT\" is not listed, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Server.\nNavigate to %Install Drive%/Program Files/ISEC7 SPHERE/tomcat/bin.\nRun tomcat9w.bat and select the JAVA tab in the window that opens.\nUnder \"Java options\" add \"-Djavax.net.ssl.trustStoreType=Windows-ROOT\" and select \"OK\".\nRestart the ISEC7 SPHERE Web service."},{"id":"19c3d52d-f492-4646-8200-23ef75483c7c","vulnId":"V-224772","severity":"medium","ruleTitle":"The ISEC7 SPHERE must protect the confidentiality and integrity of transmitted information during preparation for transmission and during reception using cryptographic mechanisms.","description":"$28","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nVerify protocols is set to +TLSv1.2, +TLSv1.3.\n\nIf protocols is not set to +TLSv1.2 or higher, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nUsing the drop-down menu for protocols, select +TLSv1.2, +TLSv1.3.\nClick \"Update\".\nRestart the ISEC7 SPHERE Web service."},{"id":"fa399bab-097d-4009-81be-7070c9fa7a52","vulnId":"V-224773","severity":"medium","ruleTitle":"The ISEC7 SPHERE must be configured to leverage the enterprise directory service accounts and groups for ISEC7 SPHERE server admin identification and authentication.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> LDAP.\nVerify that a LDAP entry has been configured to the enterprise.\nSelect \"Edit\" and confirm the \"Use for Login\" check box has been selected.\nNavigate to Administration >> Configuration >> Settings.\nVerify that Log in using (Default) has been set to the enterprise connection.\n\nIf a LDAP entry has not been configured to the enterprise or Log in using (Default) has not been set to the enterprise connection, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> LDAP.\nSelect \"Add new LDAP\".\nProvide the connection information for the enterprise LDAP connection.\nCheck the box \"Use for Login\".\nNavigate to Administration >> Configuration >> Settings.\nSet Log in using (Default) to the enterprise connection."},{"id":"fbf27db0-e89b-44ce-83e6-1e29d28bbbd7","vulnId":"V-224774","severity":"medium","ruleTitle":"The ISEC7 SPHERE must configure the timeout for the console to be 15 minutes or less.","description":"A session time-out lock is a temporary action taken when a user (MDM system administrator) stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock but may be at the application level where the application interface window is secured instead.","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nValidate the session timeout has been set to the correct value.\n\nAlternatively, allow the console to sit for 15 minutes and confirm that the user is prompted to log in once again when attempting to navigate to a new screen.\n\nIf the SPHERE Console timeout has not been set for 15 minutes or less, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nSet the session timeout to the correct value of 15 minutes or less."},{"id":"73f1d9a8-f89f-4810-a852-e2bd1f1fcb0c","vulnId":"V-224775","severity":"medium","ruleTitle":"The ISEC7 SPHERE, Tomcat installation, and ISEC7 Suite monitor must be configured to use the Windows Trust Store for the storage of digital certificates and keys.","description":"A trust store provides requisite encryption and access control to protect digital certificates from unauthorized access.","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nVerify that the type of Keystore being used is: Windows-MY \n\nIf the type of Keystore being used is not Windows-MY, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nSelect the type of Keystore to be used as: \nWindows-MY\nRestart the ISEC7 SPHERE Web service."},{"id":"69ef8e33-33f1-44e8-9c41-d5b8a8170556","vulnId":"V-224776","severity":"medium","ruleTitle":"If cipher suites using pre-shared keys are used for device authentication, the ISEC7 SPHERE must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.","description":"$29","checkContent":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nVerify protocols is set to +TLSv1.2, +TLSv1.3.\n\nIf protocols is not set to +TLSv1.2 or higher, this is a finding.","fixText":"Log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nUsing the dropdown menu for protocols, select +TLSv1.2, +TLSv1.3.\nClick \"Update\".\nRestart the ISEC7 SPHERE Web service."},{"id":"c4d52a27-9601-4b4e-af6c-81bbd20df0b3","vulnId":"V-224777","severity":"medium","ruleTitle":"The ISEC7 SPHERE must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (nonlegacy use).","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nTo protect the integrity of the authenticator and authentication mechanism used for the cryptographic module used by the network device, the application, operating system, or protocol must be configured to use one of the following hash functions for hashing the password or other authenticator in accordance with SP 800-131Ar1: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, and SHA3-512.\n\nFor digital signature verification, SP800-131Ar1 allows SHA-1 for legacy use where needed.","checkContent":"Log in to the ISEC7 SPHERE Console.\nConfirm that the browser session is secured using a DOD issued certificate.\n\nAlternately, log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nIdentify which type of Keystore is being used.\n\nWindows MY: \nOpen the Microsoft Management Console.\nAdd the Certificates Snap-In for the ISEC7 Service Account.\nNavigate to the Personal Certificates Store.\nVerify the certificate is issued by a DOD Trusted Certificate Authority.\n\nJavaKeystore PKCS12:\nUsing a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore.\nEnter the Keystore password when prompted.\nOpen the installed certificate and verify it was issued by a DOD Trusted Certificate Authority.\n\nIf certificates used by the server are not DOD issued certificates, this is a finding.","fixText":"$2a"},{"id":"1a86fefa-3110-4e10-89d2-1256da48a8f1","vulnId":"V-224778","severity":"medium","ruleTitle":"The ISEC7 SPHERE must use a FIPS-validated cryptographic module to provision digital signatures.","description":"$2b","checkContent":"Log in to the ISEC7 SPHERE Console.\nConfirm that the browser session is secured using a DOD issued certificate.\n\nAlternately, log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nIdentify which type of Keystore is being used.\n\nWindows MY: \nOpen the Microsoft Management Console.\nAdd the Certificates Snap-In for the ISEC7 Service Account.\nNavigate to the Personal Certificates Store.\nVerify the certificate is issued by a DOD Trusted Certificate Authority.\n\nJavaKeystore PKCS12:\nUsing a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore.\nEnter the Keystore password when prompted.\nOpen the installed certificate and verify it was issued by a DOD Trusted Certificate Authority.\n\nIf certificates used by the server are not DOD issued certificates, this is a finding.","fixText":"$2c"},{"id":"031c8b9e-a0a0-4abb-9f63-e888ad54f2e8","vulnId":"V-224779","severity":"medium","ruleTitle":"The ISEC7 SPHERE must use a FIPS 140-2-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality, generate cryptographic hashes, and to configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.","description":"$2d","checkContent":"Log in to the ISEC7 SPHERE Console.\nConfirm that the browser session is secured using a DOD issued certificate.\n\nAlternately, log in to the ISEC7 SPHERE Console.\nNavigate to Administration >> Configuration >> Apache Tomcat Settings.\nIdentify which type of Keystore is being used.\n\nWindows MY: \nOpen the Microsoft Management Console.\nAdd the Certificates Snap-In for the ISEC7 Service Account.\nNavigate to the Personal Certificates Store.\nVerify the certificate is issued by a DOD Trusted Certificate Authority.\n\nJavaKeystore PKCS12:\nUsing a Keystore browser such as Portecle, open the ISEC7 SPHERE keystore.\nEnter the Keystore password when prompted.\nOpen the installed certificate and verify it was issued by a DOD Trusted Certificate Authority.\n\nIf certificates used by the server are not DOD issued certificates, this is a finding.","fixText":"$2e"},{"id":"b93254c3-f262-4b48-bf3a-ce30674ecfb6","vulnId":"V-224780","severity":"medium","ruleTitle":"The Apache Tomcat Manager Web app password must be cryptographically hashed with a DOD-approved algorithm.","description":"$2f","checkContent":"Verify the Apache Tomcat Manager Web app password is hashed using SHA-256 (or SHA-512).\n\nLog in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf\\\nOpen tomcat-users.xml and verify the user password has been hashed with an obfuscated password.\n\nex: \n\nOpen :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf\\server.xml with Notepad.exe.\n\nSelect Edit >> Find and search for CredentialHandler.\n\nConfirm the text: \n\nClose the file.\n\nIf the Apache Tomcat Manager Web app password is not hashed using SHA-256 (or SHA-512), this is a finding.","fixText":"$30"},{"id":"00b42a4c-652f-497b-8f52-757f28751f02","vulnId":"V-224781","severity":"medium","ruleTitle":"All Web applications included with Apache Tomcat that are not required must be removed.","description":"Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.\n\nThe organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.","checkContent":"Verify CATALINA_HOME/webapps Tomcat administrative tool has been configured to remove all Web applications that are not required.\n\nLog in to the ISEC7 SPHERE server.\nBrowse to :\\Program Files\\ISEC7 SPHERE\\Tomcat\\webapps\\\nConfirm all folders in the directory with the exception of Manager and Host-Manager have been removed.\n\nIf the CATALINA_HOME/webapps Tomcat administrative tool has not been configured to remove all Web applications that are not required, this is a finding.","fixText":"To configure the CATALINA_HOME/webapps Tomcat administrative tool to remove all Web applications that are not required, run the ISEC7 integrated installer or use the following manual procedure: \n\nLog in to the ISEC7 SPHERE server.\nBrowse to :\\Program Files\\ISEC7 SPHERE\\Tomcat\\webapps\\\nRemove all folders in the directory with the exception of Manager and Host-Manager."},{"id":"c6d796c2-eac3-43f4-ad4c-6bc9ca480d93","vulnId":"V-224782","severity":"medium","ruleTitle":"LockOutRealm must not be removed from Apache Tomcat.","description":"LockOutRealm prevents brute force attacks against user passwords. Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.\n\nThe organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.","checkContent":"Log in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\Isec7 SPHERE\\Tomcat\\Config\nOpen the server.xml file with Notepad.\nSelect Edit >> Find and search for LockOutRealm.\nConfirm the following line is in the server.xml file:\n\n\n\nIf it is not found or has been commented out, this is a finding.\n\nIf the LockOutRealm has been removed and cannot be used, this is a finding.","fixText":"Log in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\Isec7 SPHERE\\Tomcat\\Config\nOpen the server.xml file with Notepad.\nSelect Edit >> Find and search for LockOutRealm.\nAdd the following line is in the server.xml file:\n\n\n\nRestart the ISEC7 SPHERE Web service in the services.msc."},{"id":"091673fc-cb92-4596-9a63-8e8ad8a812c5","vulnId":"V-224783","severity":"medium","ruleTitle":"The LockOutRealm must be configured with a login failure count of 3.","description":"LockOutRealm prevents brute force attacks against user passwords. Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. Access to LockOutRealm must be configured to control login attempts by local accounts.\n\nThe organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.","checkContent":"Verify the failureCount parameter is set to 3 in the LockOutRealm configuration.\n\nLog in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\Isec7 SPHERE\\Tomcat\\Config.\nOpen the server.xml file with Notepad.\nSelect Edit >> Find and search for LockOutRealm.\nVerify the failureCount parameter is set to 3 in the following file:\n\n\n\nIf the failureCount parameter is not set to 3 in the LockOutRealm configuration, this is a finding.","fixText":"Add failureCount parameter to the LockOutRealm configuration:\n\nLog in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\Isec7 SPHERE\\Tomcat\\Config.\nOpen the server.xml file with Notepad.\nSelect Edit >> Find and search for LockOutRealm.\nAdd the following line is in the server.xml file:\n\n\n\nRestart the ISEC7 SPHERE Web service in the services.msc."},{"id":"32f90494-d1a4-4147-a34d-5dab77674c09","vulnId":"V-224784","severity":"medium","ruleTitle":"The LockOutRealm must be configured with a login lockout time of 15 minutes.","description":"LockOutRealm prevents brute force attacks against user passwords. Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. Access to LockOutRealm must be configured to control login attempts by local accounts.\n\nThe organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.","checkContent":"Verify the lockOutTime parameter is set to 900 in the LockOutRealm configuration.\n\nLog in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\Isec7 SPHERE\\Tomcat\\Config.\nOpen the server.xml file with Notepad.\nSelect Edit >> Find and search for LockOutRealm.\nVerify the lockOutTime parameter is set to 900 in the following file:\n\n\n\nIf the lockOutTime parameter is not set to 900 in the LockOutRealm configuration, this is a finding.","fixText":"Add lockOutTime parameter to the LockOutRealm configuration:\n\nLog in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\Isec7 SPHERE\\Tomcat\\Config.\nOpen the server.xml file with Notepad.\nSelect Edit>Find and search for LockOutRealm.\nAdd the following line in the server.xml file:\n\n\n\nRestart the ISEC7 SPHERE Web service in the services.msc."},{"id":"b15853b6-f007-4a4c-8bd3-29bcdc652fda","vulnId":"V-224785","severity":"medium","ruleTitle":"The Manager Web app password must be configured as follows: \n-15 or more characters.\n-at least one lower case letter. \n-at least one upper case letter. \n-at least one number.\n-at least one special character.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.\n\nSatisfies: SRG-APP-000164, SRG-APP-000166, SRG-APP-000169","checkContent":"Verify the Manager Web app password has been configured as follows:\n-15 or more characters.\n-at least one lower case letter.\n-at least one upper case letter.\n-at least one number.\n-at least one special character.\n\nLog in to the ISEC7 SPHERE server.\nOpen a Web browser and go to https://localhost/manager/html.\nLog in with the custom administrator login and password. Verify password entered meets complexity requirements.\n\nIf the Manager Web app password has not been configured as required, this is a finding.","fixText":"$31"},{"id":"bc089444-7e1b-4f2c-a8d3-83d9c24b056f","vulnId":"V-224786","severity":"medium","ruleTitle":"The ISEC7 SPHERE must configure Enable HTTPS to use HTTP over SSL in Apache Tomcat.","description":"$32","checkContent":"Verify Enable HTTPS has been configured to use HTTP over SSL:\n\nOpen a web browser that is able to reach the ISEC7 SPHERE console.\nVerify that the address used has a prefix of \"https://\".\n\nAlternately:\n\nLog in to the ISEC7 SPHERE server.\nOpen the server.xml file located at :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf with Notepad.exe.\nSelect Edit >> Find and search for port=\"443\".\nConfirm the connector is present and not commented out:\n\nIf Enable HTTPS has not been configured to use HTTP over SSL, this is a finding.","fixText":"$33"},{"id":"bd823913-c0c6-4200-bde2-6871de709b05","vulnId":"V-224788","severity":"medium","ruleTitle":"Stack tracing must be disabled in Apache Tomcat.","description":"The default error page shows a full stack trace, which is a disclosure of sensitive information. Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.\n\nThe organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.","checkContent":"Verify stack tracing has been disabled in Apache Tomcat. \n\nNavigate to the ISEC7 SPHERE installation directory: :\\Program Files\\ISEC7 SPHERE\\web\\WEB-INF.\nOpen web.xml with Notepad.exe.\nScroll to the end of the file.\nConfirm there are no comment tags and the following exists without comment tags:\n\n \n java.lang.Exception\n /exception.jsp\n \n\nIf stack tracing has not been disabled in Apache Tomcat, this is a finding.","fixText":"Remove the default error page by updating the web application web.xml file.\n\nNavigate to the ISEC7 SPHERE installation directory: :\\Program Files\\ISEC7 SPHERE\\web\\WEB-INF.\nOpen web.xml with Notepad.exe.\nScroll to the end of the file.\nRemove the comment tags .\n\n\n\nSave the changes.\n\nThis will acknowledge to the user that an exception occurred without showing any trace or source information."},{"id":"e9fe44d4-fda4-4f1d-853e-23d81bc8bffb","vulnId":"V-224789","severity":"medium","ruleTitle":"The Apache Tomcat shutdown port must be disabled.","description":"Tomcat uses a port (defaults to 8005) as a shutdown port. Someone could Telnet to the machine using this port and send the default command SHUTDOWN. Tomcat and all web apps would shut down in that case, which is a denial-of-service attack and would cause an unwanted service interruption.","checkContent":"Verify the shutdown port is disabled.\n\nLog in to the SPHERE server.\nBrowse to Program Files\\Isec7 SPHERE\\Tomcat\\Conf.\nOpen the server.xml with Notepad.exe.\nSelect Edit >> Find, and then search for \"Shutdown\".\nVerify that the shutdown port has been disabled with entry below:\n\nshutdown=\"-1\"\n\nIf the shutdown port has not been disabled, this is a finding.","fixText":"Log in to the SPHERE server.\nBrowse to Program Files\\Isec7 SPHERE\\Tomcat\\Conf.\nOpen the server.xml with Notepad.exe.\nSelect Edit >> Find, and then search for \"Shutdown\".\nChange the shutdown to \"-1\".\n\nexample: shutdown=-1\n\nSave the file and restart the Isec7 SPHERE Web service with the services.msc."},{"id":"bb146a81-e8de-4e5f-9757-c08f55b0edb0","vulnId":"V-224790","severity":"medium","ruleTitle":"The ISEC7 SPHERE must remove any unnecessary users or groups that have permissions to the server.xml file in Apache Tomcat.","description":"Tomcat uses a port (defaults to 8005) as a shutdown port. Someone could Telnet to the machine using this port and send the default command SHUTDOWN. Tomcat and all web apps would shut down in that case, which is a denial-of-service attack and would cause an unwanted service interruption.","checkContent":"Verify unnecessary users or groups that have permissions to the Server.xml file in Apache Tomcat have been removed.\n\nBrowse to ProgramFiles\\Isec7 SPHERE\\Tomcat\\Conf and select \"Server.xml\".\nRight-click and select \"Properties\".\nSelect the security tab and verify no unnecessary account or groups have been granted permissions to the file.\nVerify no unnecessary users or groups have permissions to the file.\n\nIf unnecessary users or groups that have permissions to the Server.xml file in Apache Tomcat have not been removed, this is a finding.","fixText":"Log in to the ISEC7 SPHERE server.\nBrowse to ProgramFiles\\Isec7 SPHERE\\Tomcat\\Conf and select Server.xml.\nRight-click and select \"Properties\".\nSelect the security tab and remove unnecessary accounts or groups that have been granted permissions to the Server.xml file."},{"id":"80ea3d98-9490-4356-999f-0103e7c48656","vulnId":"V-224791","severity":"medium","ruleTitle":"A manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager).","description":"If a manager role is not assigned to the Apache Tomcat web apps, the system administrator will not be able to manage and configure the web apps and security setting may not be configured correctly, with could leave the Apache Tomcat susceptible to attack by an intruder.","checkContent":"Verify a manager role has been assigned to the Apache Tomcat Web apps (Manager, Host-Manager).\n\nLog in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf\\.\nConfirm a user with the manager role to :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf\\tomcat-users.xml exists.\n\nexample: \n\nIf a manager role has not been assigned to the Apache Tomcat Web apps, this is a finding.","fixText":"To add a manager role to the Apache Tomcat Web apps (Manager, Host-Manager), run the ISEC7 integrated installer or use the following manual procedure:\n\nBy default there are no users with the manager role assigned. To make use of the manager webapp, add a new role and user into the :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf\\tomcat-users.xml file.\n\nLog in to the ISEC7 SPHERE server.\nNavigate to :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf\\.\nAdd a user with the manager role to :\\Program Files\\ISEC7 SPHERE\\Tomcat\\conf\\tomcat-users.xml.\n\nexample: \n\nSave the file."},{"id":"a9f0e637-5a49-493b-ba24-f7f435725720","vulnId":"V-224792","severity":"medium","ruleTitle":"SSL must be enabled on Apache Tomcat.","description":"$34","checkContent":"$35","fixText":"$36"},{"id":"2fcbfda2-7b6d-4ab2-8626-095a64c1bd43","vulnId":"V-224793","severity":"medium","ruleTitle":"Tomcat SSL must be restricted except for ISEC7 SPHERE tasks.","description":"$37","checkContent":"$38","fixText":"$39"},{"id":"5e8606e4-c7fa-4d8e-b3d0-a0cb63639b02","vulnId":"V-225096","severity":"high","ruleTitle":"The ISEC7 Sphere server must be maintained at a supported version.","description":"Versions of ISEC7 Sphere server are maintained by ISEC7 for specific periods of time. Unsupported versions will not receive security updates for new vulnerabilities which leaves them subject to exploitation.\n\nA list of supported ISEC7 Sphere server versions is maintained by ISEC7 here: https://www.isec7-us.com/emm-suite-mobile-monitoring.","checkContent":"Review the ISEC7 Sphere server version after logging into the console. Correlate the version with the latest supported version of ISEC7 Sphere server.\n\nIf the installed version of ISEC7 Sphere server is not a supported version, this is a finding.","fixText":"The administrator must check https://www.isec7-us.com/emm-suite-mobile-monitoring for the latest supported and unsupported versions of software.\n\nOnce confirmed, the administrator must update ISEC7 Sphere server to the latest supported version."}]}]]}]

ISEC7 Sphere Security Technical Implementation Guide

Checks (34)