UCF STIG Viewer Logo

The designer will ensure the application has a capability to notify the user of important login information.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16817 APP3660 SV-17817r1_rule ECLO-2 Low
Description
Attempted logons must be controlled to prevent password guessing exploits and unauthorized access attempts.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17816r1_chk )
Policy:

The designer will ensure the application has a capability to notify the user on logon of date and time of the user's last unsuccessful logon, IP address of the user’s last unsuccessful logon, date and time of the user's last successful logon, IP address of the user’s last successful logon, and number of unsuccessful logon attempts since the last successful logon.

Check:
If the application uses password authentication, try to logon to the system using an incorrect password.

Restart the application and logon again using the correct password. After a successful logon to the application, logout of the application and note the date and times for the last success and unsuccessful logons. Again, logon to the application and determine whether the application correctly displays the following information immediately at logon:

Unsuccessful Logon
Date
Time
IP Address

Successful Logon
Date
Time
IP Address

If the application does not correctly display the last unsuccessful and successful logon information immediately at login, it is a finding

For CAC and NSA approved token authentication logons, remove the CAC or mistype the PIN to simulate an unsuccessful login.
Fix Text (F-17117r1_fix)
Display last login information.