Administrative accounts for device management must be configured on the authentication server and not the network device itself (except for the emergency administration account).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-55299 | SRG-APP-000516-NDM-000336 | SV-69545r2_rule | Medium |
| Description |
|---|
| The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Administrative accounts for network device management must be configured on the authentication server and not the network device itself. The only exception is for the emergency administration account (also known as the account of last resort), which is configured locally on each device. Note that more than one emergency administration account may be permitted if approved. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2016-07-07 |
Details
| Check Text ( C-55919r2_chk ) |
|---|
| Review the network device configuration to determine if administrative accounts for device management exist on the device. If any administrative accounts other than the emergency administrative account(s) exist on the device, this is a finding. |
| Fix Text (F-60163r2_fix) |
|---|
| Configure the administrative accounts for device management on the authentication servers. |