UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16800 APP3390 SV-17800r1_rule ECLO-1 ECLO-2 High
Description
If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application.
STIG Date
Application Security and Development STIG 2014-04-03

Details

Check Text ( C-17796r1_chk )
Ask the application representative to demonstrate the application locks a user account if a user enters a password incorrectly more than three times in a 60 minute period.

1) If the account is not disabled, it is a finding.
Fix Text (F-17069r1_fix)
Lock user accounts after three consecutive unsuccessful logon attempts within one hour.