JBOS-AS-000355 - The JBoss server must separate hosted application functionality from application server management functionality.
The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server. JBoss is designed to operate with separate application and management interfaces. The JBoss server is started via a script. To start the JBoss server in domain mode, the admin will execute the <JBOSS_HOME>/bin/domain.sh or domain.bat script. To start the JBoss server in standalone mode, the admin will execute <JBOSS_HOME>/bin/standalone.bat or standalone.sh. Command line flags are used to specify which network address is used for management and which address is used for public/application access. NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated. Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service.