Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16817 | APP3660 | SV-17817r1_rule | ECLO-2 | Low |
Description |
---|
Attempted logons must be controlled to prevent password guessing exploits and unauthorized access attempts. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-04-03 |
Check Text ( C-17816r1_chk ) |
---|
Policy: The designer will ensure the application has a capability to notify the user on logon of date and time of the user's last unsuccessful logon, IP address of the user’s last unsuccessful logon, date and time of the user's last successful logon, IP address of the user’s last successful logon, and number of unsuccessful logon attempts since the last successful logon. Check: If the application uses password authentication, try to logon to the system using an incorrect password. Restart the application and logon again using the correct password. After a successful logon to the application, logout of the application and note the date and times for the last success and unsuccessful logons. Again, logon to the application and determine whether the application correctly displays the following information immediately at logon: Unsuccessful Logon Date Time IP Address Successful Logon Date Time IP Address If the application does not correctly display the last unsuccessful and successful logon information immediately at login, it is a finding For CAC and NSA approved token authentication logons, remove the CAC or mistype the PIN to simulate an unsuccessful login. |
Fix Text (F-17117r1_fix) |
---|
Display last login information. |