The network device must require users to re-authenticate when privilege escalation or role changes occur.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-55247	SRG-APP-000389-NDM-000306	SV-69493r1_rule		Medium

Description
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When devices provide the capability to change security roles, it is critical the user re-authenticate. In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances. (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.

Description

Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When devices provide the capability to change security roles, it is critical the user re-authenticate. In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances. (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.

STIG	Date
Network Device Management Security Requirements Guide	2017-07-07

Details

Check Text ( C-55867r1_chk )
Determine if the network device requires users to re-authenticate when privilege escalation or role changes occur. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. If users are not required to re-authenticate when privilege escalation or role changes occur, this is a finding.

Check Text ( C-55867r1_chk )

Determine if the network device requires users to re-authenticate when privilege escalation or role changes occur. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server.

If users are not required to re-authenticate when privilege escalation or role changes occur, this is a finding.

Fix Text (F-60111r1_fix)
Configure the network device or its associated authentication server to require users to re-authenticate when privilege escalation or role changes occur.