All Automation Controller NGINX front-end web servers must not perform user management for hosted applications.

STIG ID: APWS-AT-000250  |  SRG: SRG-APP-000141-WSR-000015 |  Severity: medium |  CCI: CCI-000381 |  Vulnerability Id: V-256946 | 

Vulnerability Discussion

Web servers require enterprise-wide user management capability in order to prevent unauthorized access, with features like attempt lockouts and password complexity requirements.

Unauthorized access to the web server makes the web server and the organization vulnerable to attack.

Note: The underlying NGINX web server does not perform user management or authentication. The Automation Controller includes user management and authentication capabilities. However, the user management controls built into Automation Controller may not be sufficient to enforce the appropriate level of password, sessions, and other policies required. It is strongly recommended that Automation Controller be configured to use the organization's Identity Management/Authentication Service. This may be an AD/LDAP service, OIDC, or other supported authentication service.

Check

As a system administrator for each Automation Controller NGINX web server host, navigate to Settings >> Authentication.

Review the configuration and verify that the appropriate authentication service is configured.

If no authentication service is configured, this is a finding.

Fix

As a system administrator for each Automation Controller NGINX web server host, navigate to Settings >> Authentication.

Configure the appropriate authentication service.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.