Server Authentication is not configured on the Sun Ray server.

From Sun Ray 4 STIG

Part of Server Authentication is not configured

Associated with IA controls: ECSC-1

SV-17137r1_rule Server Authentication is not configured on the Sun Ray server.

Vulnerability discussion

It is possible to spoof a Sun Ray server or a Sun Ray client and pose as either. This leads to the man-in-the-middle attack, in which an impostor claims to be the Sun Ray server for the clients and pretends to be a client for the server. It then goes about intercepting all the messages and having access to all the secure data. Client and server authentication can resolve this type of attack. Server-side authentication is only supported, through the pre-configured public-private key pairs in Sun Ray Server Software and firmware. The Digital Signature Algorithm (DSA) is used to verify that clients are communicating with a valid Sun Ray server. This authentication scheme is not completely foolproof, but it mitigates man-in-the-middle attacks and makes it harder for attackers to spoof Sun Ray Server Software.

Check content

Within the Sun Ray Administration console, perform the following: 1. Select the Advanced Tab. 2. Select the Security Tab. 3. Verify that “Server Authentication” is checked. If it is not checked, this is a finding.

Fix text

Enable Server Authentication for the Sun Ray server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer