The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

From Application Server Security Requirements Guide

Associated with: CCI-002235

SV-71671r2_rule The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Vulnerability discussion

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.Restricting non-privileged users also prevents an attacker, who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance.

Check content

Review application server documentation and configuration to verify that non-privileged users cannot access or execute privileged functions. Have a user logon as a non-privileged user and attempt to execute privileged functions. If the user is capable of executing privileged functions, this is a finding.

Fix text

Configure the application server to deny non-privileged users access to and execution of privileged functions.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.