UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AAA Services Security Requirements Guide


Overview

Date Finding Count (79)
2024-07-02 CAT I (High): 8 CAT II (Med): 68 CAT III (Low): 3
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-204676 High AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
V-204672 High AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.
V-204657 High AAA Services must be configured to use secure protocols when connecting to directory services.
V-204658 High AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.
V-204671 High For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.
V-204660 High AAA Services must be configured to uniquely identify and authenticate organizational users.
V-204675 High AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
V-204679 High AAA Services must be configured to protect the confidentiality and integrity of all information at rest.
V-204687 Medium AAA Services must be configured to notify system administrators (SAs) and information system security officer (ISSO) of account enabling actions.
V-204686 Medium AAA Services must be configured to automatically audit account enabling actions.
V-204685 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account removal actions.
V-204684 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account disabling actions.
V-204683 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are modified.
V-204682 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are created.
V-263528 Medium AAA Services must be configured to disable accounts when the accounts are no longer associated to a user.
V-204670 Medium AAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed.
V-204689 Medium AAA Services must be configured to maintain locks on user accounts until released by an administrator.
V-263536 Medium For password-based authentication, AAA Services must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters.
V-263537 Medium For password-based authentication, AAA Services must be configured to employ automated tools to assist the user in selecting strong password authenticators.
V-263534 Medium For password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
V-263535 Medium For password-based authentication, AAA Services must be configured to require immediate selection of a new password upon account recovery.
V-263532 Medium For password-based authentication, AAA Services must be configured to update the list of passwords on an organization-defined frequency.
V-263533 Medium For password-based authentication, AAA Services must be configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.
V-263530 Medium AAA Services must be configured to automatically generate audit records of the enforcement actions.
V-263531 Medium AAA Services must be configured to require users to be individually authenticated before granting access to the shared accounts or resources.
V-204645 Medium AAA Services must be configured to audit each authentication and authorization transaction.
V-263538 Medium For public key-based authentication, AAA Services must be configured to implement a local cache of revocation data to support path discovery and validation.
V-263539 Medium AAA Services must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.
V-204650 Medium AAA Services configuration audit records must identify the outcome of the events.
V-204636 Medium AAA Services must be configured to provide automated account management functions.
V-204637 Medium AAA Services must be configured to automatically remove temporary user accounts after 72 hours.
V-204651 Medium AAA Services configuration audit records must identify any individual user or process associated with the event.
V-204638 Medium AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.
V-204639 Medium AAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity.
V-204652 Medium AAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.
V-204677 Medium AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.
V-204674 Medium AAA Services must be configured to enforce a 60-day maximum password lifetime restriction.
V-204653 Medium AAA Services must be configured to generate audit records overwriting the oldest audit records in a first-in-first-out manner.
V-204655 Medium AAA Services must be configured to use internal system clocks to generate time stamps for audit records.
V-204656 Medium AAA Services must be configured to disable non-essential modules.
V-204654 Medium AAA Services must be configured to queue audit records locally until communication is restored when any audit processing failure occurs.
V-204647 Medium AAA Services configuration audit records must identify when (date and time) the events occurred.
V-204678 Medium AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.
V-204673 Medium AAA Services must be configured to enforce 24 hours as the minimum password lifetime.
V-263529 Medium AAA Services must be configured to disable accounts when the accounts are in violation of organizational policy.
V-204696 Medium AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.
V-204690 Medium AAA Services must be configured to send audit records to a centralized audit server.
V-204691 Medium AAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records.
V-204692 Medium AAA Services must be configured with a minimum granularity of one second to record time stamps for audit records.
V-204693 Medium AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.
V-204698 Medium AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
V-204699 Medium AAA Services must not be configured with shared accounts.
V-263527 Medium AAA Services must be configured to disable accounts when the accounts have expired.
V-204646 Medium AAA Services configuration audit records must identify what type of events occurred.
V-204659 Medium AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-204641 Medium AAA Services must be configured to automatically audit account modification.
V-204669 Medium AAA Services must be configured to enforce password complexity by requiring that at least one special character be used.
V-204668 Medium AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.
V-204648 Medium AAA Services configuration audit records must identify where the events occurred.
V-204680 Medium AAA Services must be configured to prevent automatically removing emergency accounts.
V-204661 Medium AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.
V-204663 Medium AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.
V-204662 Medium AAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.
V-204664 Medium AAA Services must be configured to enforce a minimum 15-character password length.
V-204667 Medium AAA Services must be configured to enforce password complexity by requiring that at least one lowercase character be used.
V-204666 Medium AAA Services must be configured to enforce password complexity by requiring that at least one uppercase character be used.
V-204643 Medium AAA Services must be configured to automatically audit account removal actions.
V-204642 Medium AAA Services must be configured to automatically audit account disabling actions.
V-204704 Medium AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-204640 Medium AAA Services must be configured to automatically audit account creation.
V-204702 Medium AAA Services must be configured to use IP segments separate from production VLAN IP segments.
V-204703 Medium AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
V-204700 Medium AAA Services used to authenticate privileged users for device management must be configured to connect to the management network.
V-204701 Medium AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.
V-204649 Medium AAA Services configuration audit records must identify the source of the events.
V-204644 Medium AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.
V-204681 Low AAA Services must be configured to prevent automatically disabling emergency accounts.
V-204695 Low AAA Services must be configured to use at least two NTP servers to synchronize time.
V-204697 Low AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.