Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer will ensure locked users’ accounts can only be unlocked by the application administrator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16801 | APP3400 | SV-17801r1_rule | ECLO-1 | Medium |
| Description |
|---|
| User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time limit, allow potential attackers to retry possible user password combinations without knowledge of the user or the administrator. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-17797r1_chk ) |
|---|
| Ask the application representative to demonstrate that only the administrator can unlock locked accounts. 1) If the application allows non-administrator to unlock accounts, it is a finding. |
| Fix Text (F-17070r1_fix) |
|---|
| Allow only the administrator to unlock locked accounts. |