UCF STIG Viewer Logo

Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide


Overview

Date Finding Count (69)
2019-12-12 CAT I (High): 8 CAT II (Med): 57 CAT III (Low): 4
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-80915 High AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.
V-80815 High AAA Services must be configured to use secure protocols when connecting to directory services.
V-80933 High AAA Services must be configured to protect the confidentiality and integrity of all information at rest.
V-80817 High AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.
V-80891 High AAA Services must be configured to uniquely identify and authenticate organizational users.
V-80953 High AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.
V-80925 High AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
V-80927 High AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
V-80881 Medium AAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records.
V-80869 Medium AAA Services must be configured to send audit records to a centralized audit server.
V-80949 Medium AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-80885 Medium AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.
V-80947 Medium AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-80865 Medium AAA Services configuration audit records must identify the outcome of the events.
V-80945 Medium AAA Services must be configured to disable non-essential modules.
V-80867 Medium AAA Services configuration audit records must identify any individual user or process associated with the event.
V-80943 Medium AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
V-80861 Medium AAA Services configuration audit records must identify where the events occurred.
V-80941 Medium AAA Services must be configured to use IP segments separate from production VLAN IP segments.
V-80863 Medium AAA Services configuration audit records must identify the source of the events.
V-80909 Medium AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.
V-80829 Medium AAA Services must be configured to automatically audit account creation.
V-80879 Medium AAA Services must be configured with a minimum granularity of one second to record time stamps for audit records.
V-80847 Medium AAA Services must be configured to notify system administrators and ISSO of account enabling actions.
V-80833 Medium AAA Services must be configured to automatically audit account disabling actions.
V-80911 Medium AAA Services must be configured to enforce password complexity by requiring that at least one special character be used.
V-80831 Medium AAA Services must be configured to automatically audit account modification.
V-80913 Medium AAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed.
V-80837 Medium AAA Services must be configured to notify the system administrators and ISSO when accounts are created.
V-80835 Medium AAA Services must be configured to automatically audit account removal actions.
V-80917 Medium AAA Services must be configured to enforce 24 hours as the minimum password lifetime.
V-80819 Medium AAA Services must be configured to provide automated account management functions.
V-80937 Medium AAA Services used to authenticate privileged users for device management must be configured to connect to the management network.
V-80895 Medium AAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.
V-80897 Medium AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.
V-80889 Medium AAA Services must be configured to audit each authentication and authorization transaction.
V-80893 Medium AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.
V-80877 Medium AAA Services must be configured to use internal system clocks to generate time stamps for audit records.
V-80855 Medium AAA Services must be configured to maintain locks on user accounts until released by an administrator.
V-80875 Medium AAA Services must be configured to queue audit records locally until communication is restored when any audit processing failure occurs.
V-80841 Medium AAA Services must be configured to notify the system administrators and ISSO for account disabling actions.
V-80873 Medium AAA Services must be configured to generate audit records overwriting the oldest audit records in a first-in-first-out manner.
V-80951 Medium AAA Services must be configured to automatically remove temporary user accounts after 72 hours.
V-80857 Medium AAA Services configuration audit records must identify what type of events occurred.
V-80871 Medium AAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.
V-80919 Medium AAA Services must be configured to enforce a 60-day maximum password lifetime restriction.
V-80859 Medium AAA Services configuration audit records must identify when (date and time) the events occurred.
V-80839 Medium AAA Services must be configured to notify the system administrators and ISSO when accounts are modified.
V-80907 Medium AAA Services must be configured to enforce password complexity by requiring that at least one lower-case character be used.
V-80931 Medium AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.
V-80845 Medium AAA Services must be configured to automatically audit account enabling actions.
V-80851 Medium AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.
V-80903 Medium AAA Services must be configured to enforce a minimum 15-character password length.
V-80821 Medium AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.
V-80901 Medium AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
V-80823 Medium AAA Services must be configured to prevent automatically removing emergency accounts.
V-80929 Medium AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.
V-80843 Medium AAA Services must be configured to notify the system administrators and ISSO for account removal actions.
V-80905 Medium AAA Services must be configured to enforce password complexity by requiring that at least one upper-case character be used.
V-80827 Medium AAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity.
V-80939 Medium AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.
V-80935 Medium AAA Services must not be configured with shared accounts.
V-80921 Medium AAA Services must be configured to prohibit password reuse for a minimum of five generations.
V-80923 Medium AAA Services must be configured to allow the use of a temporary password at initial logon with an immediate change to a permanent password.
V-80899 Medium AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.
V-80883 Low AAA Services must be configured to use at least two NTP servers to synchronize time.
V-80887 Low AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.
V-80825 Low AAA Services must be configured to prevent automatically disabling emergency accounts.
V-80849 Low AAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization.