UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide


Overview

Date Finding Count (69)
2018-10-01 CAT I (High): 8 CAT II (Med): 57 CAT III (Low): 4
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-80915 High AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.
V-80815 High AAA Services must be configured to use secure protocols when connecting to directory services.
V-80933 High AAA Services must be configured to protect the confidentiality and integrity of all information at rest.
V-80817 High AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.
V-80891 High AAA Services must be configured to uniquely identify and authenticate organizational users.
V-80953 High AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.
V-80925 High AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
V-80927 High AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
V-80881 Medium AAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records.
V-80869 Medium AAA Services must be configured to send audit records to a centralized audit server.
V-80949 Medium AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-80885 Medium AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.
V-80947 Medium AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-80865 Medium AAA Services configuration audit records must identify the outcome of the events.
V-80945 Medium AAA Services must be configured to disable non-essential modules.
V-80867 Medium AAA Services configuration audit records must identify any individual user or process associated with the event.
V-80943 Medium AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
V-80861 Medium AAA Services configuration audit records must identify where the events occurred.
V-80941 Medium AAA Services must be configured to use IP segments separate from production VLAN IP segments.
V-80863 Medium AAA Services configuration audit records must identify the source of the events.
V-80909 Medium AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.
V-80829 Medium AAA Services must be configured to automatically audit account creation.
V-80879 Medium AAA Services must be configured with a minimum granularity of one second to record time stamps for audit records.
V-80847 Medium AAA Services must be configured to notify system administrators and ISSO of account enabling actions.
V-80833 Medium AAA Services must be configured to automatically audit account disabling actions.
V-80911 Medium AAA Services must be configured to enforce password complexity by requiring that at least one special character be used.
V-80831 Medium AAA Services must be configured to automatically audit account modification.
V-80913 Medium AAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed.
V-80837 Medium AAA Services must be configured to notify the system administrators and ISSO when accounts are created.
V-80835 Medium AAA Services must be configured to automatically audit account removal actions.
V-80917 Medium AAA Services must be configured to enforce 24 hours as the minimum password lifetime.
V-80819 Medium AAA Services must be configured to provide automated account management functions.
V-80937 Medium AAA Services used to authenticate privileged users for device management must be configured to connect to the management network.
V-80895 Medium AAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.
V-80897 Medium AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.
V-80889 Medium AAA Services must be configured to audit each authentication and authorization transaction.
V-80893 Medium AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.
V-80877 Medium AAA Services must be configured to use internal system clocks to generate time stamps for audit records.
V-80855 Medium AAA Services must be configured to maintain locks on user accounts until released by an administrator.
V-80875 Medium AAA Services must be configured to queue audit records locally until communication is restored when any audit processing failure occurs.
V-80841 Medium AAA Services must be configured to notify the system administrators and ISSO for account disabling actions.
V-80873 Medium AAA Services must be configured to generate audit records overwriting the oldest audit records in a first-in-first-out manner.
V-80951 Medium AAA Services must be configured to automatically remove temporary user accounts after 72 hours.
V-80857 Medium AAA Services configuration audit records must identify what type of events occurred.
V-80871 Medium AAA Services must be configured to alert the SCA and ISSO when any audit processing failure occurs.
V-80919 Medium AAA Services must be configured to enforce a 60-day maximum password lifetime restriction.
V-80859 Medium AAA Services configuration audit records must identify when (date and time) the events occurred.
V-80839 Medium AAA Services must be configured to notify the system administrators and ISSO when accounts are modified.
V-80907 Medium AAA Services must be configured to enforce password complexity by requiring that at least one lower-case character be used.
V-80931 Medium AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.
V-80845 Medium AAA Services must be configured to automatically audit account enabling actions.
V-80851 Medium AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.
V-80903 Medium AAA Services must be configured to enforce a minimum 15-character password length.
V-80821 Medium AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.
V-80901 Medium AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
V-80823 Medium AAA Services must be configured to prevent automatically removing emergency accounts.
V-80929 Medium AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.
V-80843 Medium AAA Services must be configured to notify the system administrators and ISSO for account removal actions.
V-80905 Medium AAA Services must be configured to enforce password complexity by requiring that at least one upper-case character be used.
V-80827 Medium AAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity.
V-80939 Medium AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.
V-80935 Medium AAA Services must not be configured with shared accounts.
V-80921 Medium AAA Services must be configured to prohibit password reuse for a minimum of five generations.
V-80923 Medium AAA Services must be configured to allow the use of a temporary password at initial logon with an immediate change to a permanent password.
V-80899 Medium AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.
V-80883 Low AAA Services must be configured to use at least two NTP servers to synchronize time.
V-80887 Low AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.
V-80825 Low AAA Services must be configured to prevent automatically disabling emergency accounts.
V-80849 Low AAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization.