2.1 Ensure Authentication is configured

Information

This setting ensures that all clients, users, servers are required to authenticate before being granted access to the MongoDB database.

Authentication is the process of verifying the identity of a client. When access control, i.e. authorization, is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.

To authenticate as a user, you must provide a username, password, and the authentication database associated with that user.

Rationale:

Failure to authenticate clients, users, servers can enable unauthorized access to the MongoDB database and can prevent tracing actions back to their sources.

Solution

The authentication mechanism should be implemented before anyone accesses the MongoDB Server.
To enable the authentication mechanism:

Start the MongoDB instance without authentication.

mongod --port 27017 --dbpath /data/db1

Or

mongod.exe --port 27017 --dbpath db1

Create the system user administrator, ensuring that its password meets organizationally-defined password complexity requirements.

use admin
db.createUser(
{
user: 'siteUserAdmin',
pwd: 'password',
roles: [ { role: 'userAdminAnyDatabase', db: 'admin' } ]
}
)

Open mongod.conf and change for authorization value to enabled:

security:
authorization: 'enabled'

Restart the MongoDB instance

service mongodb restart

Default Value:

By default, authorization is set to disable.

See Also

https://workbench.cisecurity.org/files/3560

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-5(1), CSCv7|16.3

Plugin: Windows

Control ID: 45599254868cf47639cef412888c10af76baa4cb6538c410c7865ba81ea411e1