The IAO will ensure unnecessary built-in application accounts are disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6133	APP6250	SV-6133r1_rule	IAIA-1	Medium

Description
Default passwords and properties of built-in accounts are often publicly available. Anyone with necessary knowledge, internal or external, can compromise an application using built-in accounts.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-3051r1_chk )
If the user accounts used in the application are only operating system or database accounts, this check is Not Applicable. Built-in accounts are those that are added as part of the installation of the application software. These accounts exist for many common commercial off-the-shelf (COTS) or open source components of enterprise applications (e.g., OS, web browser or database software). If SRRs are performed for these components, this is not applicable because the other SRRs will capture the relevant information and findings. If not, read the installation documentation to identify the built-in accounts. Also peruse the account list for obvious examples (e.g., accounts with vendor names such as Oracle or Tivoli). Verify that these accounts have been removed or disabled. If enabled built-in accounts are present, ask the application representative the reason for their existence. 1) If these accounts are not necessary to run the application, it is a finding. 2) If any of these accounts are privileged, it is a finding.

Check Text ( C-3051r1_chk )

If the user accounts used in the application are only operating system or database accounts, this check is Not Applicable.

Built-in accounts are those that are added as part of the installation of the application software. These accounts exist for many common commercial off-the-shelf (COTS) or open source components of enterprise applications (e.g., OS, web browser or database software). If SRRs are performed for these components, this is not applicable because the other SRRs will capture the relevant information and findings. If not, read the installation documentation to identify the built-in accounts. Also peruse the account list for obvious examples (e.g., accounts with vendor names such as Oracle or Tivoli). Verify that these accounts have been removed or disabled. If enabled built-in accounts are present, ask the application representative the reason for their existence.

1) If these accounts are not necessary to run the application, it is a finding.

2) If any of these accounts are privileged, it is a finding.

Fix Text (F-4425r1_fix)
Disable unnecessary built-in userids