The application server must automatically disable accounts after an organization defined period of account inactivity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35724 | SRG-APP-000025-AS-000017 | SV-47011r1_rule | Medium |
| Description |
|---|
| Inactive user accounts pose a risk to systems and applications. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Application servers need to track periods of user inactivity and disable application server user accounts after an organization defined period of inactivity. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised. An AS could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-44067r3_chk ) |
|---|
| Review the AS configuration to determine if the AS is configured to automatically disable inactive accounts after 35 days of inactivity. If the AS is not configured to meet this requirement, or if the AS does not utilize a centralized user management solution (AD, LDAP etc) which is configured to meet this requirement, this is a finding. |
| Fix Text (F-40267r1_fix) |
|---|
| Configure the AS to automatically disable accounts after the organization defined period of account inactivity has expired. |