Title: The DBMS, when used for non-local maintenance sessions, must protect those sessions through the use of a strong authenticator tightly bound to the user.
Vulnerability ID: V-32485
IA Controls: None
Description: Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network.
Identification and authentication techniques used in the establishment of non-local maintenance and diagnostic sessions must be consistent with the network access requirements in IA-2. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric.
Examples of types of applications used for non-local maintenance and diagnostic activities are provided below. Use as an example does not imply compliance with policy requirements or approval for use. Examples include, but are not limited to Terminal Services, Remote Desktop, Dameware, and VNC (all variants).
If non-local maintenance and diagnostic sessions are performed without the use of a strong authenticator bound to the user, the user’s identity cannot be trusted. This can result in unauthenticated access to maintenance administrator functionality.
Check Text: Review DBMS settings to determine whether the DBMS employs strong authentication, tightly bound to the user, for non-local maintenance sessions. If the DBMS does not use strong authentication, tightly bound to the user, for non-local maintenance sessions, this is a finding.
Fix Text: Configure DBMS security setting to utilize strong authentication, tightly bound to the user, for non-local maintenance sessions.[divider]