The designer will ensure locked users’ accounts can only be unlocked by the application administrator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-16801 | APP3400 | SV-17801r1_rule | ECLO-1 | Medium |
| Description |
|---|
| User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time limit, allow potential attackers to retry possible user password combinations without knowledge of the user or the administrator. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-17797r1_chk ) |
|---|
| Ask the application representative to demonstrate that only the administrator can unlock locked accounts. 1) If the application allows non-administrator to unlock accounts, it is a finding. |
| Fix Text (F-17070r1_fix) |
|---|
| Allow only the administrator to unlock locked accounts. |