ColdFusion must authenticate users individually.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Associated with: CCI-000770

SV-76941r1_rule ColdFusion must authenticate users individually.

Vulnerability discussion

To assure individual accountability and prevent unauthorized access, application server users must be individually identified and authenticated.A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users.ColdFusion is installed with a Root Administrator Account. This account is configured during the installation phase. This account should only be used for initial setup before user accounts are created and should not be used for day-to-day operations. When used as a group account, accountability, along with least privileges for the users, is lost.

Check content

Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. If there are no defined users, this is a finding.

Fix text

Navigate to the "User Manager" page under the "Security" menu. Create users that need access to the Administrator Console providing only the roles necessary to perform each job function.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.