The IAO will ensure default passwords are changed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6134	APP6260	SV-6134r1_rule	IAIA-1	High

Description
Default passwords can easily be compromised by attackers allowing immediate access to the applications.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3052r1_chk )
Run a password-cracking tool, if available, on a copy of each account database (there may be more than one in the application infrastructure). 1) If the password-cracking tool is able to crack the password of a privileged user, this is a CAT I finding. 2) If the password-cracking tool is able to crack the password of a non-privileged user, this is a CAT II finding. Manually attempt to authenticate with the published default password for that account, if such a default password exists. 3) If any privileged built-in account uses a default password – no matter how complex – this is a CAT I finding. 4) If a non-privileged account has a default password, this is a CAT II finding.

Check Text ( C-3052r1_chk )

Run a password-cracking tool, if available, on a copy of each account database (there may be more than one in the application infrastructure).

1) If the password-cracking tool is able to crack the password of a privileged user, this is a CAT I finding.

2) If the password-cracking tool is able to crack the password of a non-privileged user, this is a CAT II finding.

Manually attempt to authenticate with the published default password for that account, if such a default password exists.

3) If any privileged built-in account uses a default password – no matter how complex – this is a CAT I finding.

4) If a non-privileged account has a default password, this is a CAT II finding.

Fix Text (F-4426r1_fix)
Change default passwords.