Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The application server must disable device accounts after an organization defined time period of inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35309 | SRG-APP-000163-AS-000111 | SV-46596r1_rule | Medium |
| Description |
|---|
| A device account represents a remote system or device rather than a user. Inactive device accounts pose a risk to the AS system and the applications residing on the AS. Accounts used for device access must be disabled if they are not being used. Disabling access to inactive devices greatly reduces the risk that the system will be misused, hijacked, or will have data compromised. It is acceptable for the AS to be configured to utilize a centralized device account store such as LDAP or AD that provides this ability. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43678r1_chk ) |
|---|
| Review the AS configuration to ensure the AS disables device accounts after an organization defined time period of inactivity. If the AS is not configured to disable inactive device accounts, or is not configured to utilize a centralized device account store that meets this requirement, this is a finding. |
| Fix Text (F-39855r1_fix) |
|---|
| Configure the AS to disable inactive device accounts per the organization's specified period of inactivity. |