The web server must disable accounts when the accounts are no longer associated to a user.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-264338 | SRG-APP-000705-WSR-000110 | SV-264338r984359_rule | CCI-003628 | medium |
| Description | ||||
| Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system. | ||||
| STIG | Date | |||
| Web Server Security Requirements Guide | 2025-02-12 | |||
Details
Check Text (C-264338r984359_chk)
Verify the web server is configured to disable accounts when the accounts are no longer associated to a user.
If the web server is not configured to disable accounts when the accounts are no longer associated to a user, this is a finding.
Fix Text (F-68159r984358_fix)
Configure the web server to disable accounts when the accounts are no longer associated to a user.