The application server must provide a mechanism to automatically terminate accounts designated as being temporary or emergency after an organization defined time period.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35721	SRG-APP-000024-AS-000016	SV-47008r1_rule		Medium

Description
Temporary application server user accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support-related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. To address this risk in the event temporary or emergency accounts are required, the application server user management capability must be able to identify application server user accounts which are temporary in nature and provide a mechanism to automatically terminate these types of accounts. An AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as Active Directory (AD) or LDAP is more likely to already contain provisions for automated account management whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities.

Description

Temporary application server user accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support-related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. To address this risk in the event temporary or emergency accounts are required, the application server user management capability must be able to identify application server user accounts which are temporary in nature and provide a mechanism to automatically terminate these types of accounts. An AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as Active Directory (AD) or LDAP is more likely to already contain provisions for automated account management whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44064r1_chk )
Review the AS configuration to determine if the AS is configured to automatically terminate temporary or emergency accounts. If the AS is not configured to meet this requirement, this is a finding.

Fix Text (F-40264r1_fix)
Configure the AS to automatically terminate temporary or emergency accounts.