UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Unnecessary application accounts must be disabled, or deleted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-69303 APSC-DV-000330 SV-83925r1_rule Medium
Description
Test or demonstration accounts are sometimes created during the application installation process. This creates a security risk as these accounts often remain after the initial installation process and can be used to gain unauthorized access to the application. Applications must be designed and configured to disable or delete any unnecessary accounts that may be created. Care must be taken to ensure valid accounts used for valid application operations are not disabled or deleted when this requirement is applied.
STIG Date
Application Security and Development Security Technical Implementation Guide 2017-12-18

Details

Check Text ( C-69715r1_chk )
Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement.

Have the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers.

Have the application administrator identify and validate all user accounts.

If any accounts cannot be validated and are deemed to be unnecessary, this is a finding.
Fix Text (F-75477r1_fix)
Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts.