2.1 Ensure Authentication is configured

Information

This setting ensures that all clients, users, servers are required to authenticate before being granted access to the MongoDB database.

Authentication is the process of verifying the identity of a client. When access control, i.e. authorization, is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.

from MongoDB documentation

Authentication Mechanisms

MongoDB supports a number of authentication mechanisms that clients can use to verify their identity. These mechanisms allow MongoDB to integrate into your existing authentication system.

MongoDB supports multiple authentication mechanisms:

SCRAM (Default)

x.509 Certificate Authentication.

Certificate Authority

For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority. You or your organization can generate and maintain an independent certificate authority, or use certificates generated by third-party TLS/SSL vendors.

In addition to supporting the aforementioned mechanisms, MongoDB Enterprise also supports the following mechanisms:

LDAP proxy authentication

Kerberos authentication.

Rationale:

Failure to authenticate clients, users, servers can enable unauthorized access to the MongoDB database and can prevent tracing actions back to their sources.

It's highly recommended that password length and complexity also be in-place. When performing the traditional user/password authentication against MongoDB there is not in-place intrinsic password complexity check and there is no LOCKING mechanism with multiple failure logins. So, MongoDB is prone to brute force attacks compared to other database systems.

Solution

The authentication mechanism should be implemented before anyone accesses the MongoDB Server.
To enable the authentication mechanism:

Start the MongoDB instance without authentication.

mongod --port 27017 --dbpath /data/db1

Or

mongod.exe --port 27017 --dbpath db1

Create the system user administrator, ensuring that its password meets organizationally-defined password in terms of length and complexity requirements as there is no in-place locking mechanism for multiple failed login attempts against MongoDB.

use admin
db.createUser(
{
user: 'MongoAdmin',
pwd: 'password',
roles: [ { role: 'root', db: 'admin' } ]
}
)

Open mongod.conf and change for authorization value to enabled:

security:
authorization: 'enabled'

Restart the MongoDB instance

service mongod restart

Default Value:

By default, authorization is set to disable.

See Also

https://workbench.cisecurity.org/benchmarks/15135

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-5(1), CSCv7|16.3

Plugin: Windows

Control ID: 90973c2cd1ff577717319aed4ca846dd4431e2df9311d42fd56b43e267b2f328