IAAC-1

IAAC-1 Account Control

Overview

A comprehensive account management process is implemented to ensure that only authorized users can gain access to workstations, applications, and networks and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated.

MAC / CONF	Impact	Subject Area
CLASSIFIED SENSITIVE	High	Identification and Authentication

Details

Threat
Information within the organization is potentially vulnerable to access and exploitation by individuals using active accounts that should have been deactivated. This includes individuals who have transferred from the organization, had their employment terminated, lost appropriate security clearance/need-to-know, or who otherwise are no longer authorized access to the system or its information resources. In order to prevent unauthorized access and potential loss/compromise/destruction of information, it is essential that accounts be properly controlled and restricted only to authorized users.

Threat

Information within the organization is potentially vulnerable to access and exploitation by individuals using active accounts that should have been deactivated. This includes individuals who have transferred from the organization, had their employment terminated, lost appropriate security clearance/need-to-know, or who otherwise are no longer authorized access to the system or its information resources. In order to prevent unauthorized access and potential loss/compromise/destruction of information, it is essential that accounts be properly controlled and restricted only to authorized users.

Guidance
This implementation guidance is designed for use by Information Assurance Managers and/or System Administrators. The following general implementation guidelines apply: 1. During the operating system installation process on servers and workstations, ensure that default accounts and associated passwords are disabled and/or removed IAW procedures applicable to the specific system (see the appropriate DISA STIG or vendor documentation). 2. During the application installation process on servers and workstations, ensure that any default accounts and associated passwords associated with the applications are disabled and/or removed IAW procedures applicable to the specific system (see the appropriate DISA STIG or vendor documentation). 3. When creating a new account for a system user, the registration process should collect at a minimum the following user information: · Name · Title and Position · IT Category · Organization · Phone Number · Official email address · Supervisor’s Name and Contact Information · Security Clearance Level/Special Access information · Projected Transfer Date (for military or TDY personnel) 4. Ensure that users and/or supervisors are aware of the requirement to notify System Administrators and IAMs/IAOs immediately when users no longer require or are authorized system access. 5. Disable and remove user IDs and passwords within two days of notification that a user no longer requires or is authorized system access. 6. System Administrators shall suspend user accounts that have been inactive for 30 days or more. 7. System Administrators shall immediately disable any account through which unauthorized user activity has been detected.

Guidance

This implementation guidance is designed for use by Information Assurance Managers and/or System Administrators. The following general implementation guidelines apply:

1. During the operating system installation process on servers and workstations, ensure that default accounts and associated passwords are disabled and/or removed IAW procedures applicable to the specific system (see the appropriate DISA STIG or vendor documentation).
2. During the application installation process on servers and workstations, ensure that any default accounts and associated passwords associated with the applications are disabled and/or removed IAW procedures applicable to the specific system (see the appropriate DISA STIG or vendor documentation).
3. When creating a new account for a system user, the registration process should collect at a minimum the following user information:
  · Name
  · Title and Position
  · IT Category
  · Organization
  · Phone Number
  · Official email address
  · Supervisor’s Name and Contact Information
  · Security Clearance Level/Special Access information
  · Projected Transfer Date (for military or TDY personnel)
4. Ensure that users and/or supervisors are aware of the requirement to notify System Administrators and IAMs/IAOs immediately when users no longer require or are authorized system access.
5. Disable and remove user IDs and passwords within two days of notification that a user no longer requires or is authorized system access.
6. System Administrators shall suspend user accounts that have been inactive for 30 days or more.
7. System Administrators shall immediately disable any account through which unauthorized user activity has been detected.

References

CJSCM 6510.01, Change 1, Enclosure C, Appendix A, 10 August 2004
Windows XP STIG, Section 12.2, 03 December 2002
Windows NT/XP/2000 Addendum Version 4, Release 1, Section 5, 26 February 2004
DISA Unix STIG, Version 4, Release 4, 15 September 2003
DISA Supplement to Network Infrastructure Checklist Version 5, Release 2.1, Cisco Router Checklist NET 0465, 01 June 2004
DISA Database STIG, Version 7, Release 1, Section 3.1, 29 October 2004