Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

AvePoint DocAve 6 Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2022-08-24
  • Released: 2022-08-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
DocAve must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
AC-10 - Medium - CCI-000054 - V-253510 - SV-253510r836505_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
DCAV-00-000001
Vuln IDs
  • V-253510
Rule IDs
  • SV-253510r836505_rule
Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Checks: C-56962r836503_chk

Check the DocAve Manager Maximum User Session setting. - Log on to DocAve with admin account. - On the Control Panel page, in the System Options section, click "Security Settings". - Select the "System Security Policy" tab. - Verify that Specify a maximum number of user sessions is set to "3" or less. If Maximum number of user sessions is not set to "3" or less, this is a finding.

Fix: F-56913r836504_fix

Configure the DocAve Manager Maximum User Session setting. - Log on to DocAve with admin account. - On the Control Panel page, in the System Options section, click "Security Settings". - Select the "System Security Policy" tab. - Set Maximum number of user sessions to "3" or less. - Save the settings.

b
DocAve must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-253511 - SV-253511r836508_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
DCAV-00-000003
Vuln IDs
  • V-253511
Rule IDs
  • SV-253511r836508_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications must be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock but may be at the application-level where the application interface window is secured instead.
Checks: C-56963r836506_chk

Check the DocAve Manager Session Timeout setting. - Log on to DocAve with admin account. - On the Control Panel page, in the System Options section, click "Security Settings". - Select the "System Security Policy" tab. - Verify Logon Will Expire is set to "15" minutes or less. If the Logon Will Expire is not set to "15" minutes or less, this is a finding.

Fix: F-56914r836507_fix

Configure the DocAve Manager Session Timeout setting. - Log on to DocAve with admin account. - On the Control Panel page, in the System Options section, click "Security Settings". - Select the "System Security Policy" tab. - Set Logon Will Expire to "15" minutes or less. - Save the settings.

c
DocAve must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
AC-17 - High - CCI-000068 - V-253512 - SV-253512r836511_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
DCAV-00-000006
Vuln IDs
  • V-253512
Rule IDs
  • SV-253512r836511_rule
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to Transport Layer Security (TLS) gateways (also known as Secure Sockets Layer [SSL] gateways), web servers, and web applications and is not applicable to virtual private network (VPN) devices. DocAve uses HTTPS and NetTcp protocols as the underlying security protocol and thus is in scope for this requirement.
Checks: C-56964r836509_chk

Check the .Net Framework version on DocAve servers. - On the servers where DocAve is installed, open Registry Editor. - Refer to the official Microsoft document to verify the .Net Framework version supports TLS 1.2. The official Microsoft Document URL is: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net. - .NET Framework 4.6.2 or later supports TLS 1.2 inherently. If the .Net Framework version doesn't support TLS 1.2, this is a finding. Check that DocAve servers only have TLS 1.2 protocol enabled. - On the DocAve servers, open Registry Editor. - Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. - Verify TLS 1.0, TLS 1.1, and any SSL protocols are not enabled. If TLS 1.0, TLS 1.1, or any SSL protocols are enabled, this is a finding. Check that DocAve servers have strong cryptography setting enabled. - On the DocAve servers, open Registry Editor. - Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319. - Verify "SystemDefaultTlsVersions" = dword:00000001 and "SchUseStrongCrypto" = dword:00000001, otherwise this is a finding.

Fix: F-56915r836510_fix

Consult the Microsoft documentation and ensure the .Net Framework on DocAve servers uses a version that supports TLS 1.2. Update if necessary. Configure the DocAve servers to enable TLS 1.2 protocol only: - On the DocAve servers, open Registry Editor. - Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. - Disable TLS 1.0, TLS 1.1, and any SSL protocols if present. Configure the DocAve servers to enable strong cryptography setting. - On the DocAve servers, open Registry Editor. - Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 and verify: "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001

b
DocAve must provide automated mechanisms for supporting account management functions.
AC-2 - Medium - CCI-000015 - V-253513 - SV-253513r836514_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
DCAV-00-000009
Vuln IDs
  • V-253513
Rule IDs
  • SV-253513r836514_rule
Remote access (e.g., Remote Desktop Protocol [RDP]) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
Checks: C-56965r836512_chk

DocAve supports integration with Active Directory (AD) for automated account management. Check the DocAve configuration to ensure AD Integration is enabled. - Log on to DocAve with admin account. - On the Control Panel page, in the Authentication Manager section, click "Authentication Manager". - Navigate to AD Integration. - Verify that the AD Integration option is enabled. If the AD Integration option is not enabled, this is a finding.

Fix: F-56916r836513_fix

Configure the DocAve configuration to ensure AD Integration is enabled. - Log on to DocAve with admin account. - On the Control Panel page, in the Authentication Manager section, click "Authentication Manager". - Navigate to AD Integration. - Set the Action of AD Integration to Enable. - Save settings. Add AD user or group to DocAve by Account Manager, realize automated mechanisms through AD account management functions.

b
DocAve must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-253514 - SV-253514r841862_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
DCAV-00-000054
Vuln IDs
  • V-253514
Rule IDs
  • SV-253514r841862_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services; however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Checks: C-56966r836515_chk

Check the DocAve Manager communication port setting. - On the DocAve 6 Manager server, open DocAve 6 Manager Configuration Tool from the Start Menu. - Click "Control Service Configuration" on the left. - Verify the Website Port. - Click "Media Service Configuration" on the left. - Verify the Media Service Port and Media Service Data Port. - Click "Report Service Configuration" on the left. - Verify the Report Service Port. If any of these ports used by the DocAve Manager Services are not in accordance with the PPSM CAL, or otherwise AO Approved, this is a finding. Check the DocAve Agent communication port setting. - On the DocAve 6 Agent server, open DocAve 6 Agent Configuration Tool. - Navigate to the Host And Port panel. - Verify the Agent Port. If the Agent Port is are not in accordance with the PPSM CAL, or otherwise AO Approved, this is a finding. Check the DocAve Control Service update port setting. - Log on to DocAve with admin account. - On the Control Panel page, in the Update Manager section, click "Update Manager", then click "Update Settings". - Navigate to the Update Port section. - Verify the Update Port. If the Update Port is are not in accordance with the PPSM CAL, or otherwise AO Approved, this is a finding.

Fix: F-56917r841862_fix

Configure the DocAve Manager communication port setting. - On the DocAve 6 Manager server, open DocAve 6 Manager Configuration Tool. - Click "Control Service Configuration" on the left. - Change the Website Port. - Click "Media Service Configuration" on the left. - Change the Media Service Port and Media Service Data Port. - Click "Report Service Configuration" on the left. - Change the Report Service Port. - Click "OK" to save settings. Configure the DocAve Agent communication port setting. - On the DocAve 6 Agent server, open DocAve 6 Agent Configuration Tool. - Navigate to the Host And Port panel. - Change the Agent Port. - Click "OK" to save settings. Configure the DocAve Control Service update port setting. - Log on to DocAve with admin account. - On the Control Panel page, in the Update Manager section, click "Update Manager", then click "Update Settings" button. - Navigate to the Update Port section. - Change the Update Port. - Click Save button to save settings.

c
DocAve must use multifactor authentication for network access to privileged accounts.
IA-2 - High - CCI-000765 - V-253515 - SV-253515r836520_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000765
Version
DCAV-00-000056
Vuln IDs
  • V-253515
Rule IDs
  • SV-253515r836520_rule
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). Multifactor authentication decreases the attack surface by virtue of the fact that attackers must obtain two factors, a physical token or a biometric and a PIN, in order to authenticate. It is not enough to simply steal a user's password to obtain access. A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).
Checks: C-56967r836518_chk

DocAve supports Client Certificate Authentication for multi-factor authentication, which requires both Windows Authentication and Client Certificate Authentication enabled in DocAve. Settings must be configured in IIS and DocAve. The IIS configuration under DCAV-00-000057 should be performed first. Check the DocAve Client Certificate Authentication configuration. - Log on to DocAve with admin account. - On the Control Panel page, in the Authentication Manager section, click "Authentication Manager". - Verify that "Client Certificate Authentication" is enabled. If "Client Certificate Authentication" is not enabled, this is a finding. Check the DocAve Windows Authentication configuration. - Log on to DocAve with admin account. - On the Control Panel page, in the Authentication Manager section, click "Authentication Manager". - Verify that "Windows Authentication" is enabled. If "Windows Authentication" is not enabled, this is a finding.

Fix: F-56918r836519_fix

Configure DocAve to use Smart Card Authentication. Settings must be configured in IIS and DocAve. The IIS configuration under DCAV-00-000057 should be performed first. Log on to DocAve with admin account. - On the Control Panel page, in the Authentication Manager section, click "Authentication Manager". - Click "Enable" in the Action column of the Client Certificate Authentication row to enable client certificate authentication. - Click "Enable" in the Action column of the Windows Authentication row to enable Windows Authentication. - Back to the Control Panel page, in the Account Manager section, click "Account Manager". - Click "Users-Add User". - Select Client Certificate User from the drop-down list in the "What kind of user would you like to add?" field. - Specify the user in the Windows User/Group Name field. - Add this user to one or more DocAve groups. - Save the settings.

c
The underlying IIS platform must be configured for Smart Card (CAC) Authorization.
IA-2 - High - CCI-000765 - V-253516 - SV-253516r836523_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000765
Version
DCAV-00-000057
Vuln IDs
  • V-253516
Rule IDs
  • SV-253516r836523_rule
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: (i) Something a user knows (e.g., password/PIN); (ii) Something a user has (e.g., cryptographic identification device, token); or (iii) Something a user is (e.g., biometric). Multifactor authentication decreases the attack surface by virtue of the fact that attackers must obtain two factors, a physical token or a biometric and a PIN, in order to authenticate. It is not enough to simply steal a user's password to obtain access. A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).
Checks: C-56968r836521_chk

Check the Web Server (IIS) features required for Client Certificate Authentication are installed. - On the DocAve 6 Manager server, open Server Manager, then click add/remove roles. - Expand Web Server (IIS) >> Web Server >> Security. - Verify that the "Client Certificate Mapping Authentication" and "Windows Authentication" features are installed. If the features are not installed, this is a finding. On the DocAve Manager server, open IIS Manager. - Expand Sites and select the site used for DocAve. The default site name is DocAve6. - Open the SSL Settings of [DocAve6] site under IIS. - Verify the "Require SSL" checkbox is selected. - Verify the "Require" radio button under "Client Certificates" is selected. Return to the Site Settings Home. If the "Require SSL" checkbox is not selected, or the "Require" radio button under "Client Certificates" is not selected, this is a finding. - Open the Authentication Settings of [DocAve6] site under IIS. - Verify "Windows Authentication", is set to "Enable". Return to the Site Settings Home. If "Windows Authentication", is not set to "Enable", this is a finding. - Expand the [DocAve6] site, select Trust. - Open the SSL Settings under IIS. - Check the "Require SSL" checkbox. - Select the "Require" radio button under "Client Certificates". Return to the Site Settings Home. If the "Require SSL" checkbox is not selected, or the "Require" radio button under "Client Certificates" is not selected, this is a finding.

Fix: F-56919r836522_fix

Install the Web Server (IIS) features required for Client Certificate Authentication. - On the DocAve 6 Manager server, open Server Manager, then click add/remove roles. - Expand Web Server (IIS) >> Web Server >> Security. - Install the "Client Certificate Mapping Authentication" and "Windows Authentication" features. On the DocAve Manager server, open IIS Manager. - Expand Sites and select the site used for DocAve. The default site name is DocAve6. - Open the SSL Settings of [DocAve6] site under IIS. - Check the "Require SSL" checkbox. - Select the "Require" radio button under "Client Certificates". Return to the Site Settings Home. - Open the Authentication Settings of [DocAve6] site under IIS. - Highlight "Windows Authentication" and select "Enable". Return to the Site Settings Home. - Expand the [DocAve6] site, select Trust. - Open the SSL Settings under IIS. - Check the "Require SSL" checkbox. - Select the "Require" radio button under "Client Certificates". Return to the Site Settings Home. - Restart the [DocAve6] Application Pool and Web Site.

b
DocAve must control remote access methods.
AC-17 - Medium - CCI-002314 - V-253517 - SV-253517r836526_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
DCAV-00-000130
Vuln IDs
  • V-253517
Rule IDs
  • SV-253517r836526_rule
Remote access applications, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and makes remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Remote access applications must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).
Checks: C-56969r836524_chk

Check the DocAve Manager configuration to ensure restrict inbound connections from nonsecure zones. - Log on to DocAve as admin account. - On the Control Panel page, under System Options, select "Security Settings". - Navigate to "Network Security" section. If Enable Network Security is not selected, this is a finding. If Enable Network Security is selected, review the entries under Trusted Network. Verify only known, secure IPs are configured as Allow. If IP ranges configured to be Allowed are not restrictive enough to prevent connections from nonsecure zones, this is a finding.

Fix: F-56920r836525_fix

Configure the DocAve Manager configuration, if need to restrict inbound connections from nonsecure zones. - Log on to DocAve as admin account. - On the Control Panel page, under System Options, select "Security Settings". - Navigate to "Network Security" section. - Select "Enable Network Security" option. - Add known, secure IPs to the Allow list under Trusted Network. - Save the settings.

b
DocAve must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
SC-23 - Medium - CCI-002470 - V-253518 - SV-253518r836529_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
DCAV-00-000192
Vuln IDs
  • V-253518
Rule IDs
  • SV-253518r836529_rule
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).
Checks: C-56970r836527_chk

There are three different settings in DocAve that are related to certificates: - The DocAve web server for the web UI; - The DocAve Manager communication certificate for communicate with DocAve Agents; - The DocAve Agent communication certificate for communicate with DocAve Manager. Check the DocAve Web Site certificate setting. - On the DocAve 6 Manager server, open Internet Information Services (IIS) Manager. - In IIS Manager, expand the Sites node in the Connections panel on the left and find DocAve 6 Control Service Web Site. The default name of DocAve Control Web Site is DocAve6. - Click "Bindings" in the Actions panel on the right to open the Site Bindings window. - Click "Edit" in Site Bindings window to open the Edit Site Binding window. - Verify the certificate information. If the certificate used is not a DoD- (or AO-) approved certificate, this is a finding. Check the DocAve Manager communication certificate setting. - On the DocAve 6 Manager server, open DocAve 6 Manager Configuration Tool. - Click "Advanced Configuration" on the left. - Verify the certificate information. If the certificate used is not a DoD approved certificate, this is a finding. Check the DocAve Agent communication certificate setting. - On the DocAve 6 Agent server, open DocAve 6 Agent Configuration Tool. - Navigate to the SSL Certificate panel. - Verify the certificate information. If the certificate used is not a DoD-approved certificate, this is a finding.

Fix: F-56921r836528_fix

Configure DocAve to ensure that it uses PKI certificates obtained from a DoD-approved internal or external certificate authority. There are three different settings in DocAve that are related to certificates: - The DocAve web server for the web UI; - The DocAve Manager communication certificate for communicate with DocAve Agents; - The DocAve Agent communication certificate for communicate with DocAve Manager. Configure the DocAve Web Site certificate setting. - On the DocAve 6 Manager server, open Internet Information Services (IIS) Manager. - In IIS Manager, expand the Sites node in the Connections panel on the left and find DocAve 6 Control Service Web Site. The default name of DocAve Control Web Site is DocAve6. - Click "Bindings" in the Actions panel on the right to open the Site Bindings window. - Click "Edit" in Site Bindings window to open the Edit Site Binding window. - Select the DoD-approved certificate. - Click "OK" to save settings. Configure the DocAve Manager communication certificate setting. - On the DocAve 6 Manager server, open DocAve 6 Manager Configuration Tool. - Click "Advanced Configuration" on the left. - Click the "User-defined Certificate" radio button, then click "Select Certificate" to open the Windows Security window. - Select the DoD-approved certificate. - Click "OK" to save settings. Configure the DocAve Agent communication certificate setting. - On the DocAve 6 Agent server, open DocAve 6 Agent Configuration Tool. - Navigate to the SSL Certificate panel. - Click the "User-defined Certificate" radio button, then click "Select Certificate" to open the Windows Security window. - Select the DoD-approved certificate. - Click "OK" to save settings.