Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16801 | APP3400 | SV-17801r1_rule | ECLO-1 | Medium |
Description |
---|
User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time limit, allow potential attackers to retry possible user password combinations without knowledge of the user or the administrator. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-01-07 |
Check Text ( C-17797r1_chk ) |
---|
Ask the application representative to demonstrate that only the administrator can unlock locked accounts. 1) If the application allows non-administrator to unlock accounts, it is a finding. |
Fix Text (F-17070r1_fix) |
---|
Allow only the administrator to unlock locked accounts. |