Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16800 | APP3390 | SV-17800r1_rule | ECLO-1 ECLO-2 | High |
Description |
---|
If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-17796r1_chk ) |
---|
Ask the application representative to demonstrate the application locks a user account if a user enters a password incorrectly more than three times in a 60 minute period. 1) If the account is not disabled, it is a finding. |
Fix Text (F-17069r1_fix) |
---|
Lock user accounts after three consecutive unsuccessful logon attempts within one hour. |