The application server must provide a mechanism to automatically terminate accounts designated as being temporary or emergency after an organization defined time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35721 | SRG-APP-000024-AS-000016 | SV-47008r1_rule | Medium |
| Description |
|---|
| Temporary application server user accounts could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support-related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left. To address this risk in the event temporary or emergency accounts are required, the application server user management capability must be able to identify application server user accounts which are temporary in nature and provide a mechanism to automatically terminate these types of accounts. An AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as Active Directory (AD) or LDAP is more likely to already contain provisions for automated account management whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-44064r1_chk ) |
|---|
| Review the AS configuration to determine if the AS is configured to automatically terminate temporary or emergency accounts. If the AS is not configured to meet this requirement, this is a finding. |
| Fix Text (F-40264r1_fix) |
|---|
| Configure the AS to automatically terminate temporary or emergency accounts. |