From Bromium Secure Platform 4.x Security Technical Implementation Guide
Part of SRG-APP-000149
Associated with: CCI-000765
Since Bromium multifactor authentication is implemented through use of the enclave's directory service, the Bromium account of last resort cannot comply with the DoD requirement for multifactor authentication. Since local account password complexity requirements are not met, a weak password could be hacked, giving immediate privileged access to the BEC.
Ask the site representatives if they have developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort. Examine the BEC SSP. If the BEC has not developed and documented an emergency local account recovery procedure for the BEC Account of Last Resort, this is a finding.
Remove all local accounts after setup. Use the Bromium system recovery process to either create another account or recover the setup account when needed. 1. Using the BEC server setup application, generate the password for the local Account of Last Resort using a FIPS 140-2 compliant password generator. 2. Configure the BEC and all BEC user accounts to leverage an external authentication server (e.g., Active Directory). 3. Upon successful configuration and connection of the BEC to the authentication server, remove the local BEC account. In the event of a system-wide failure to connect to the authentication server, system recovery, or other organization-defined emergency: 1. Gain access to the Windows Server running BEC. 2. Run the BEC server setup application (BrBMSSettings.exe). 3. Click on "Database Settings". 4. Check the box next to "Request new administrator user". 5. Click "Save". Remove the account once normal operations resume. Either create a new account and password each time the account is retried or change the password each time the same account is recovered in order to comply with BROM-00-000690.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer