The network device must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-55113 | SRG-APP-000163-NDM-000251 | SV-69359r3_rule | Medium |
| Description |
|---|
| Inactive identifiers pose a risk to network devices. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the device. Owners of inactive accounts may not notice if unauthorized access to their account has been obtained. Network devices need to track periods of inactivity and disable application identifiers after 35 days of inactivity. This control does not apply to the account of last resort or root account. DoD prohibits local user accounts on the device, except for an account of last resort and (where applicable) a root account. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2017-07-07 |
Details
| Check Text ( C-55935r2_chk ) |
|---|
| Determine if the network device disables identifiers after 35 days of inactivity for all local identifiers except for the account of last resort or root account. For non-local accounts, verify that the device is configured to use an authentication server. If the network device does not have the capability to automatically disable or remove identifiers after 35 days of inactivity, this is a finding. |
| Fix Text (F-60179r2_fix) |
|---|
| Configure the network device or its associated authentication server to disable identifiers after 35 days of inactivity. For remote logon using the authentication server, configure this capability on the authentication server. Disable or remove unauthorized local identifiers, except for the account of last resort and the root account. |