UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure locked users’ accounts can only be unlocked by the application administrator.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16801 APP3400 SV-17801r1_rule ECLO-1 Medium
Description
User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time limit, allow potential attackers to retry possible user password combinations without knowledge of the user or the administrator.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17797r1_chk )
Ask the application representative to demonstrate that only the administrator can unlock locked accounts.

1) If the application allows non-administrator to unlock accounts, it is a finding.
Fix Text (F-17070r1_fix)
Allow only the administrator to unlock locked accounts.