The Bromium Enterprise Controller (BEC) must remove all local Bromium accounts after setup is complete and use the account recovery procedures to recover the local account if network access using the Bromium Account of Last Resort is required.

From Bromium Secure Platform 4.x Security Technical Implementation Guide

Part of SRG-APP-000149

Associated with: CCI-000765

SV-95139r1_rule The Bromium Enterprise Controller (BEC) must remove all local Bromium accounts after setup is complete and use the account recovery procedures to recover the local account if network access using the Bromium Account of Last Resort is required.

Vulnerability discussion

Since Bromium multifactor authentication is implemented through use of the enclave's directory service, the Bromium account of last resort cannot comply with the DoD requirement for multifactor authentication. Since local account password complexity requirements are not met, a weak password could be hacked, giving immediate privileged access to the BEC.Bromium, Inc. recommends that the setup account and any other local accounts be removed from the BEC application. In the event of a system-wide failure to connect to the authentication server, system recovery, or other organization-defined emergency, an authorized and credentialed administrator of the host server, can recover the setup account or create another account when needed. When the emergency is over, the account must once again be removed.Note: Either create a new account and password or change the password in order to comply with BROM-00-000690.

Check content

Ask the site representatives if they have developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort. Examine the BEC SSP. If the BEC has not developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort, this is a finding.

Fix text

Remove all local accounts after setup. Use the Bromium system recovery process to either create another account or recover the setup account when needed. 1. Using the BEC server setup application, generate the password for the local Account of Last Resort using a FIPS 140-2 compliant password generator. 2. Configure the BEC and all BEC user accounts to leverage an external authentication server (e.g., Active Directory). 3. Upon successful configuration and connection of the BEC to the authentication server, remove the local BEC account. In the event of a system-wide failure to connect to the authentication server, system recovery, or other organization-defined emergency: 1. Gain access to the Windows Server running BEC. 2. Run the BEC server setup application (BrBMSSettings.exe). 3. Click on "Database Settings". 4. Check the box next to "Request new administrator user". 5. Click "Save". Remove the account once normal operations resume. Either create a new account and password each time the account is retried or change the password each time the same account is recovered in order to comply with BROM-00-000690.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer