UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must automatically terminate emergency accounts after an organizationally defined time period.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000003-FW-000003 SRG-NET-000003-FW-000003 SRG-NET-000003-FW-000003_rule Low
Description
Emergency accounts are established in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts are not to be confused with infrequently used accounts (e.g., local login accounts used when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If these accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the firewall since these accounts have elevated privileges. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation. This control does not include emergency administration accounts which are meant for access to the firewall components in case of network failure. These accounts must not be automatically disabled. This requirement is applicable to emergency accounts created or managed using the firewall application itself rather than the underlying OS or an authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.
STIG Date
Firewall Security Requirements Guide 2012-12-10

Details

Check Text ( C-SRG-NET-000003-FW-000003_chk )
If the site's security plan does not permit the use of emergency accounts for access to the firewall this is not a finding.

Review the firewall to ensure the system is configured to automatically terminate emergency accounts after an organizationally defined time period.

If the firewall components do not automatically terminate emergency accounts after an organizationally defined time period, this is a finding.
Fix Text (F-SRG-NET-000003-FW-000003_fix)
Configure the firewall implementation to automatically terminate emergency accounts after an organizationally defined time period.