Skip to main content
CUI

STIG Rule - V-282943

Back to STIG Browser

V-282943

SV-282943r1179530_rule

CAT II

MongoDB must be configured to restrict the use of administrator access to authorized IP addresses.

From: MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide (V1R1)

Description

<VulnDiscussion>MongoDB will use Authentication Restrictions to enforce network-based separation of admin users from application users on the same port. With Authentication Restrictions, the database can be configured to specify a list of IP addresses and CIDR ranges from which a user is allowed to connect to the server or from which the server can accept users. Authentication Restrictions addresses the following: - Network-based Separation: Admin users are restricted to connecting only from designated admin networks/IPs, while application users are restricted to the application subnet. - Unauthorized Access Mitigation: Even if credentials are compromised, connections are blocked from unauthorized networks at the authentication level, leaving no chance for bypass.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

To verify administrative access is logically separated and restricted to authorized management networks: 1. Review the organization-defined administrative roles. These administrative roles include, but are not limited to: root, clusterAdmin, dbAdminAnyDatabase, userAdminAnyDatabase, dbAdmin, userAdmin, and dbOwner. 2. Review all users within the admin database to identify those assigned any of the administrative roles defined above. 3. For each identified administrative user, check for the presence of the authenticationRestrictions field. Verify that a clientSource is defined to restrict access to authorized management networks. Example script: // Define admin roles const adminRoles = new Set(["root", "clusterAdmin", "dbAdminAnyDatabase", "userAdminAnyDatabase", "dbAdmin", "userAdmin", "dbOwner", "<your_custom_admin_role>"]); // Check all users under 'admin' and filter for admin roles const admins = db.getSiblingDB("admin").system.users.find().toArray() .filter(u => u.roles.some(r => adminRoles.has(r.role))) .map(u => { const restr = u.authenticationRestrictions || []; const clientIPs = restr.flatMap(r => r.clientSource || []); const serverIPs = restr.flatMap(r => r.serverAddress || []); return { "User": u.user, "DB": u.db, "Admin Roles": u.roles.filter(r => adminRoles.has(r.role)).map(r => r.role).join(", "), "Client IPs": clientIPs.length ? clientIPs.join(", ") : "ANY (Unrestricted)", "Server Address": serverIPs.length ? serverIPs.join(", ") : "ANY (Unrestricted)" }; }); console.table(admins); If an administrative user does not have an authenticationRestrictions field defined, or if the clientSource is not restricted to a valid, organization-defined management network, this is a finding. If the local policy requires interface-specific isolation and the Server Address is not defined or is not restricted to the server's management interface IP, this is a finding. In the absence of approved documentation, assume localhost (127.0.0.1) is the only approved address. Example output: (note that user0 is compliant while user1 is not) (index) User DB Admin Roles Client IPs Server Address 0 'user0' 'admin' 'root' '127.0.0.1' '127.0.0.1' 1 'user1' 'admin' 'root' 'ANY (Unrestricted)' 'ANY (Unrestricted)'

Fix Text

For all administrative users that do not have network restrictions configured, use the following command: use admin db.updateUser( "<username>", { authenticationRestrictions: [ { clientSource: [ "<ip_or_cidr>", serverAddress: ["<ip_or_cidr>"] } ] }) Run the following command to set to local host: use admin db.updateUser("<username>", { authenticationRestrictions: [ { clientSource: ["127.0.0.1"], serverAddress: ["127.0.0.1"] } ] }) More information can be found here: https://www.mongodb.com/docs/manual/reference/command/createUser/#authentication-restrictions

CCI Reference

CCI-000382
Created
2026-04-07 20:08:22
Last Updated
2026-04-07 20:08:22
Back to Browse
CUI