| This implementation guidance is designed for use by Information Assurance Managers, System Administrators, or individual Subject Matter Experts (SMEs) tasked with implementation of I&A mechanisms. The following general implementation guidelines apply: |
1. To ensure compliance with (DoD PKI policy), DoD PKI is to be the primary mechanism of individual identification and authentication for all DoD systems wherever possible. For DoD PKI infrastructure implementation guidance, refer to DoDI 8520.2, Enclosure 3 (01 Apr 04).
2. For systems that have not yet implemented, or are unable to implement DoD PKI, ensure that individual user accounts are set up in accordance with guidance provided in implementation guidance for IAAC-1 and ECLP-1.
3. When setting up user accounts on workstations, servers, databases, or individual applications, system administrators shall set password configuration parameters to ensure that password structure conforms to the following standards:
· Passwords must be a minimum of eight (8) characters in length.
· Passwords must contain a case-sensitive mixture of letters, digits, and special characters (e.g., punctuation marks, etc.) such as the example (emPagd2!).
· Whenever a password is changed (by the user or system administrator), at least four characters must be changed from the previous password (e.g., [emPagd2!] becomes [0LP&gd2?]).
· Password aging must be enabled to ensure that passwords must be changed at least every ninety (90) days for classified and SBU systems and no more frequently than every seven (7) days for both types of system.
· System administrators shall configure system accounts to maintain a password history for a period of at least one (1) year. Additionally, users shall not be allowed to use any of their ten (10) previously used passwords.
4. Ensure that the process for registering new users on the system and providing user ID and password conform to practices outlined in IAAC-1.
5. System Administrators (or other SMEs involved in Independent Verification and Validation of password features) shall test the robustness of user passwords on systems processing classified or SBU information by employing a DoD-approved password policy enforcement tool (e.g., Anixis PPE).
6. System Administrators are to ensure that all default, factory-set, or standard-user accounts and associated default passwords are disabled and, to the extent that the OS or application permits, removed completely. Refer to OS, system, or application-specific STIGs, configuration standards, or vendor’s configuration guidance for specific steps on how do disable and/or remove default user accounts, IDs, and passwords.
7. Authenticators/user IDs/passwords shall be protected in the following manner:
· Access to system files containing user account information and passwords shall be restricted to system administrators
· Files containing authenticator information shall be classified at the level of information for which the accounts and passwords are assigned to protect.
· Passwords shall be shadowed. If password characters display in clear text while being entered into the password acceptance field, check the configuration of the application to ensure that the shadowing feature is enabled.
· System security policy, rules of behavior, or other applicable system user policy shall be written in a manner that specifically prohibits the sharing of passwords among users.
· Review any and all scripts used for automated boot processes or application access shall be reviewed to ensure that they contain no password automation or access features.
8. User passwords shall be encrypted, both at rest and in transit through the network using robust (i.e., 128-bit or stronger) encryption through a DoD-approved algorithm (e.g., RC4, RC5, IDEA, Blowfish) and through such robust means of secure transit as SSH and SSL-3.