Unnecessary application accounts must be disabled, or deleted.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-222412 | APSC-DV-000330 | SV-222412r508029_rule | Medium |
| Description |
|---|
| Test or demonstration accounts are sometimes created during the application installation process. This creates a security risk as these accounts often remain after the initial installation process and can be used to gain unauthorized access to the application. Applications must be designed and configured to disable or delete any unnecessary accounts that may be created. Care must be taken to ensure valid accounts used for valid application operations are not disabled or deleted when this requirement is applied. |
| STIG | Date |
|---|---|
| Application Security and Development Security Technical Implementation Guide | 2020-09-30 |
Details
| Check Text ( C-24082r493144_chk ) |
|---|
| Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement. Have the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers. Have the application administrator identify and validate all user accounts. If any accounts cannot be validated and are deemed to be unnecessary, this is a finding. |
| Fix Text (F-24071r493145_fix) |
|---|
| Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts. |