Users are permitted to change their passwords at an interval of less than 24 hours without ISSO/IAO intervention.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-7963 | DSN13.08 | SV-8449r1_rule | ECSC-1 IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Requirement: The IAO will ensure that NO user passwords will be changed at an interval of less than 24 hours without IAO intervention. Permitting passwords to be changed in immediate succession within the same day, allows users to cycle password through their history database. This enables users to effectively negate the purpose of mandating periodic password changes. |
| STIG | Date |
|---|---|
| Defense Switched Network (DSN) STIG | 2017-01-19 |
Details
| Check Text ( C-7372r1_chk ) |
|---|
| Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable. |
| Fix Text (F-7538r1_fix) |
|---|
| Eensure that user passwords are not allowed to be changed for at least 24 hours after change operation. |