Free DISA STIG and SRG Library | Vaulted


The application server must beensure configuredauthentication toof mutuallyboth authenticateclient connectingand proxies,server applicationduring serversthe orentire gatewayssession.

Finding ID
Rule ID
Cat II
Group Title
Target Key

ApplicationThis architecturecontrol mayfocuses sometimeson requirecommunications aprotection configurationat wherethe ansession, applicationversus serverpacket islevel. placedAt behindthe aapplication web proxylayer, ansession applicationIDs gatewayare ortokens communicatesgenerated directlyby withweb anotherapplications applicationto server.uniquely Inidentify thosean instances,application theuser's applicationsession. serverWeb hostingapplications theutilize service/applicationsession istokens consideredor thesession server.IDs Thein applicationorder server,to proxyestablish or application gatewayuser consumingidentity. theProper hosteduse serviceof issession consideredIDs aaddresses Authenticationattacks, isincluding accomplishedsession viahijacking theor useinsertion of certificatesfalse andinformation protocolsinto sucha assession. TLSApplication mutualservers authentication. Authentication must beprovide performed when the proxycapability isto exposedperform tomutual anauthentication. untrustedMutual networkauthentication oris when databoth protection requirements specified in the systemclient securityand plan mandate the need to establish the identity of the connecting application server, proxyauthenticate oreach application gatewayother.

Fix Text

Configure the application server to mutually authenticate proxyduring servers,the otherentire applicationsession serversas andrequired by application gatewaysdesign asand specifiedpolicy.

Check Content

Review the application server documentation,configuration system security plan and applicationdocumentation data protection requirements. If the connected web proxy is exposed to anensure untrusted network or if data protection requirements specified in the system security plan mandate the need to establish the identity of the connecting application server, proxyprovides ormutual applicationauthentication gatewaycapabilities. andIf the application server isdoes not configuredprovide tothe mutuallyability authenticatefor theapplications applicationto server,utilize proxymutual server or gatewayauthentication, this is a finding.