STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Unified Endpoint Management Server Security Requirements Guide

Version

V2R4

Release Date

Sep 10, 2025

SCAP Benchmark ID

UEM_Server_SRG

Total Checks

138

Tags

other

CAT I: 15CAT II: 122CAT III: 1

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (138)

V-234275MEDIUMThe UEM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.V-234276MEDIUMThe UEM server must conceal, via the session lock, information previously visible on the display with a publicly viewable image.V-234277MEDIUMThe UEM server must initiate a session lock after a 15-minute period of inactivity.V-234278MEDIUMThe MDM server must provide the capability for users to directly initiate a session lock.V-234279MEDIUMThe MDM server must retain the session lock until the user reestablishes access using established identification and authentication procedures.V-234283MEDIUMThe UEM server must use TLS 1.2, or higher, to protect the confidentiality of sensitive data during electronic dissemination using remote access.V-234286MEDIUMThe UEM server must provide automated mechanisms for supporting account management functions.V-234287MEDIUMThe UEM server must automatically remove or disable temporary user accounts after 72 hours if supported by the UEM server.V-234288MEDIUMThe UEM server must automatically disable accounts after a 35-day period of account inactivity.V-234289MEDIUMThe UEM server must automatically audit account creation.V-234290MEDIUMThe UEM server must automatically audit account modification.V-234291MEDIUMThe UEM server must automatically audit account disabling actions.V-234292MEDIUMThe UEM server must automatically audit account removal actions.V-234310MEDIUMThe UEM server must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-234311MEDIUMThe UEM server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application.V-234312LOWThe UEM server must retain the access banner until the user acknowledges acceptance of the access conditions.V-234318MEDIUMThe UEM server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.V-234323MEDIUMThe UEM server must provide audit record generation capability for DoD-defined auditable events within all application components.V-234324MEDIUMThe UEM server must be configured to provide audit records in a manner suitable for the Authorized Administrators to interpret the information.V-234325MEDIUMThe UEM server must be configured to allow only specific administrator roles to select which auditable events are to be audited.V-234326MEDIUMThe UEM server must generate audit records when successful/unsuccessful attempts to access privileges occur.V-234327MEDIUMThe UEM server must initiate session auditing upon startup.V-234328MEDIUMThe UEM server must be configured to produce audit records containing information to establish what type of events occurred.V-234329MEDIUMThe UEM server must be configured to produce audit records containing information to establish when (date and time) the events occurred.V-234330MEDIUMThe UEM server must be configured to produce audit records containing information to establish where the events occurred.V-234331MEDIUMThe UEM server must be configured to produce audit records containing information to establish the source of the events.V-234332MEDIUMThe UEM server must be configured to produce audit records that contain information to establish the outcome of the events.V-234333MEDIUMThe UEM server must be configured to generate audit records containing information that establishes the identity of any individual or process associated with the event.V-234334MEDIUMThe UEM server must be configured to generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.V-234335MEDIUMThe UEM SRG must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-234340MEDIUMThe UEM server must use host operating system clocks to generate time stamps for audit records.V-234341MEDIUMThe UEM server must protect audit information from any type of unauthorized read access.V-234342MEDIUMThe UEM server must protect audit information from unauthorized modification.V-234343MEDIUMThe UEM server must protect audit information from unauthorized deletion.V-234347MEDIUMThe UEM server must back up audit records at least every seven days onto a log management server.V-234349MEDIUMThe UEM server must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.V-234351MEDIUMThe UEM server must limit privileges to change the software resident within software libraries.V-234352MEDIUMThe UEM server must be configured to disable non-essential capabilities.V-234353MEDIUMThe firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).V-234354MEDIUMThe UEM server must be configured to use only documented platform APIs.V-234355MEDIUMThe UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-234356MEDIUMThe UEM server must be configured to use a DoD Central Directory Service to provide multifactor authentication for network access to privileged and non-privileged accounts.V-234358MEDIUMAll UEM server local accounts created during application installation and configuration must be removed. Note: In this context local accounts refers to user and or administrator accounts on the server that use user name and password for user access and authentication.V-234360MEDIUMThe UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.V-234361MEDIUMThe UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.V-234363HIGHThe UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.V-234364MEDIUMThe UEM server must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.V-234367MEDIUMThe UEM server must enforce a minimum 15-character password length.V-234368MEDIUMThe UEM server must prohibit password reuse for a minimum of five generations.V-234369MEDIUMThe UEM server must enforce password complexity by requiring that at least one uppercase character be used.V-234370MEDIUMThe UEM server must enforce password complexity by requiring that at least one lowercase character be used.V-234371MEDIUMThe UEM server must enforce password complexity by requiring that at least one numeric character be used.V-234372MEDIUMThe UEM server must enforce password complexity by requiring that at least one special character be used.V-234373MEDIUMUEM server must require the change of at least 50 percent of the previous password's characters.V-234374MEDIUMFor UEM server using password authentication, the application must store only cryptographic representations of passwords.V-234375HIGHFor UEM server using password authentication, the network element must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.V-234377MEDIUMThe UEM server must enforce a 60-day maximum password lifetime restriction.V-234378MEDIUMWhen using PKI-based authentication for user access, the UEM server must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-234379MEDIUMWhen the UEM server cannot establish a connection to determine the validity of a certificate, the server must be configured not to have the option to accept the certificate.V-234380MEDIUMThe UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.V-234381MEDIUMThe UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.V-234382MEDIUMThe UEM server must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.V-234383HIGHThe UEM server must use FIPS-validated SHA-2 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, and hash-only applications.V-234390MEDIUMThe UEM server must be configured to provide a trusted communication channel between itself and authorized IT entities using [selection: -IPsec, -SSH, -mutually authenticated TLS, -mutually authenticated DTLS, -HTTPS].V-234391MEDIUMThe UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and remote administrators that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -IPsec, -SSH, -TLS, -HTTPS].V-234392MEDIUMThe UEM server must be configured to invoke either host-OS functionality or server functionality to provide a trusted communication channel between itself and managed devices that provides assured identification of its endpoints and protection of the communicated data from modification and disclosure using [selection: -TLS, -HTTPS].V-234405MEDIUMThe UEM server must protect the authenticity of communications sessions.V-234406MEDIUMThe UEM server must invalidate session identifiers upon user logout or other session termination.V-234407MEDIUMThe UEM server must recognize only system-generated session identifiers.V-234408HIGHThe UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.V-234409MEDIUMThe UEM server must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.V-234410MEDIUMIn the event of a system failure, the UEM server must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.V-234421MEDIUMThe UEM server must check the validity of all data inputs.V-234424MEDIUMThe UEM server must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-234425MEDIUMThe UEM server must reveal error messages only to the Information System Security Manager (ISSM) and Information System Security Officer (ISSO).V-234430MEDIUMThe application must notify the Information System Security Manager (ISSM) and Information System Security Officer (ISSO) of failed security verification tests.V-234438MEDIUMThe UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created.V-234439MEDIUMThe UEM server must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified.V-234440MEDIUMThe UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account disabling actions.V-234441MEDIUMThe UEM server must notify system administrators (SAs) and the information system security officer (ISSO) for account removal actions.V-234442MEDIUMThe UEM server must automatically terminate a user session after an organization-defined period of user inactivity.V-234443MEDIUMThe UEM server must provide logout capability for user-initiated communication sessions.V-234444MEDIUMThe UEM server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.V-234465MEDIUMThe UEM server must automatically audit account-enabling actions.V-234466MEDIUMThe UEM server must notify system administrator (SA) and information system security officer (ISSO) of account enabling actions.V-234475MEDIUMThe UEM server must be configured to have at least one user in defined administrator roles.V-234489MEDIUMThe UEM server must audit the execution of privileged functions.V-234491MEDIUMThe UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.V-234500MEDIUMThe UEM server must be configured to transfer UEM server logs to another server for storage, analysis, and reporting. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices.V-234516MEDIUMThe UEM server must be configured to record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).V-234517MEDIUMThe UEM server must be configured to record time stamps for audit records that meet a granularity of one second for a minimum degree of precision.V-234520MEDIUMThe UEM server must prohibit user installation of software by an administrator without the appropriate assigned permission for software installation.V-234521MEDIUMThe UEM server must be configured to only allow enrolled devices that are compliant with UEM policies and assigned to a user in the application access group to download applications.V-234523MEDIUMThe UEM server must enforce access restrictions associated with changes to the server configuration.V-234524MEDIUMThe UEM server must audit the enforcement actions used to restrict access associated with changes to the application.V-234526MEDIUMThe UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.V-234538HIGHBefore establishing a connection to any endpoint device being managed, the UEM server must establish a trusted path between the server and endpoint that provides assured identification of the end point using a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the device.V-234543MEDIUMThe UEM server must prohibit the use of cached authenticators after an organization-defined time period.V-234544MEDIUMThe UEM server, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-234555HIGHThe UEM server must configure web management tools with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions.V-234556MEDIUMThe UEM server must verify remote disconnection when non-local maintenance and diagnostic sessions are terminated.V-234573MEDIUMThe UEM server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.V-234574MEDIUMThe UEM server must be configured to use X.509v3 certificates for code signing for system software updates.V-234575MEDIUMThe UEM server must be configured to use X.509v3 certificates for code signing for integrity verification.V-234588HIGHThe UEM server must connect to [assignment: [list of applications]] and managed mobile devices with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.V-234596MEDIUMThe UEM server must be configured to write to the server event log when invalid inputs are received.V-234603MEDIUMThe UEM server must remove old software components after updated versions have been installed.V-234605HIGHThe UEM server must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-234622MEDIUMThe UEM server must be configured with the periodicity of the following commands to the agent of six hours or less: - query connectivity status - query the current version of the managed device firmware/software - query the current version of installed mobile applications - read audit logs kept by the managed device.V-234623MEDIUMThe UEM server must run a suite of self-tests during initial start-up (power on) to demonstrate correct operation of the server.V-234624MEDIUMThe UEM server must alert the system administrator when anomalies in the operation of security functions are discovered.V-234629MEDIUMThe UEM server must be configured to verify software updates to the server using a digital signature mechanism prior to installing those updates.V-234642MEDIUMThe UEM server must generate audit records when successful/unsuccessful attempts to access security objects occur.V-234645MEDIUMThe UEM server must generate audit records when successful/unsuccessful attempts to modify privileges occur.V-234646MEDIUMThe UEM server must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-234649MEDIUMThe UEM server must generate audit records when successful/unsuccessful attempts to delete privileges occur.V-234651MEDIUMThe UEM server must generate audit records when successful/unsuccessful attempts to delete security objects occur.V-234653MEDIUMThe UEM server must generate audit records when successful/unsuccessful logon attempts occur.V-234654MEDIUMThe UEM server must generate audit records for privileged activities or other system-level access.V-234655MEDIUMThe UEM server must generate audit records showing starting and ending time for user access to the system.V-234656MEDIUMThe UEM server must generate audit records when concurrent logons from different workstations occur.V-234657MEDIUMThe UEM server must generate audit records when successful/unsuccessful accesses to objects occur.V-234658MEDIUMThe UEM server must generate audit records for all direct access to the information system.V-234659MEDIUMThe UEM server must generate audit records for all account creations, modifications, disabling, and termination events.V-234664HIGHThe UEM server must use a FIPS-validated cryptographic module to generate cryptographic hashes.V-234665MEDIUMThe UEM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.V-234666MEDIUMThe UEM server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-234667MEDIUMThe UEM server must be configured to allow authorized administrators to read all audit data from audit records on the server.V-234668HIGHThe UEM server must be configured to implement FIPS 140-2/140-3 mode for all server and agent encryption.V-234669MEDIUMThe UEM server must be configured to prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0.V-234673MEDIUMThe UEM server must authenticate endpoint devices (servers) before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.V-234674MEDIUMIf cipher suites using pre-shared keys are used for device authentication, the UEM server must have a minimum security strength of 112 bits or higher.V-234676MEDIUMThe UEM server must validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.V-234677HIGHThe application must use FIPS-validated SHA-256 or higher hash function for digital signature generation and verification.V-256892HIGHThe UEM server must provide digitally signed policies and policy updates to the UEM agent.V-264368HIGHThe UEM server must sign policies and policy updates using a private key associated with [selection: an X509 certificate, a public key provisioned to the agent trusted by the agent] for policy verification.V-264369HIGHThe UEM server, for each unique policy managed, must validate the policy is appropriate for an agent using [selection: a private key associated with an X509 certificate representing the agent, a token issued by the agent] associated with a policy signing key uniquely associated with the policy.V-279012HIGHThe UEM server must be a version supported by the vendor.