UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The IAO will ensure unnecessary built-in application accounts are disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6133 APP6250 SV-6133r1_rule IAIA-1 Medium
Description
Default passwords and properties of built-in accounts are often publicly available. Anyone with necessary knowledge, internal or external, can compromise an application using built-in accounts.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-3051r1_chk )
If the user accounts used in the application are only operating system or database accounts, this check is Not Applicable.

Built-in accounts are those that are added as part of the installation of the application software. These accounts exist for many common commercial off-the-shelf (COTS) or open source components of enterprise applications (e.g., OS, web browser or database software). If SRRs are performed for these components, this is not applicable because the other SRRs will capture the relevant information and findings. If not, read the installation documentation to identify the built-in accounts. Also peruse the account list for obvious examples (e.g., accounts with vendor names such as Oracle or Tivoli). Verify that these accounts have been removed or disabled. If enabled built-in accounts are present, ask the application representative the reason for their existence.

1) If these accounts are not necessary to run the application, it is a finding.

2) If any of these accounts are privileged, it is a finding.
Fix Text (F-4425r1_fix)
Disable unnecessary built-in userids