The application server must disable device accounts after an organization defined time period of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35309	SRG-APP-000163-AS-000111	SV-46596r1_rule		Medium

Description
A device account represents a remote system or device rather than a user. Inactive device accounts pose a risk to the AS system and the applications residing on the AS. Accounts used for device access must be disabled if they are not being used. Disabling access to inactive devices greatly reduces the risk that the system will be misused, hijacked, or will have data compromised. It is acceptable for the AS to be configured to utilize a centralized device account store such as LDAP or AD that provides this ability.

Description

A device account represents a remote system or device rather than a user. Inactive device accounts pose a risk to the AS system and the applications residing on the AS. Accounts used for device access must be disabled if they are not being used. Disabling access to inactive devices greatly reduces the risk that the system will be misused, hijacked, or will have data compromised. It is acceptable for the AS to be configured to utilize a centralized device account store such as LDAP or AD that provides this ability.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43678r1_chk )
Review the AS configuration to ensure the AS disables device accounts after an organization defined time period of inactivity. If the AS is not configured to disable inactive device accounts, or is not configured to utilize a centralized device account store that meets this requirement, this is a finding.

Fix Text (F-39855r1_fix)
Configure the AS to disable inactive device accounts per the organization's specified period of inactivity.