The firewall implementation must enforce approved authorizations for logical access to the firewall in accordance with applicable policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000015-FW-000015	SRG-NET-000015-FW-000015	SRG-NET-000015-FW-000015_rule		Medium

Description
Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and functions on the firewall. A good best practice is to minimize the number of local accounts on network devices for use when the network is unavailable. The remaining administrator accounts are then defined and managed on the AAA server which often has more robust account management functions. If management of authorizations and privileges are not enforced, it is difficult to track and manage user authorizations and privileges; and there is an increased risk of misconfiguration. This requirement applies to account privileges and logical access authorizations which are managed and controlled by the firewall rather than the operating system or network authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG. This requirement does not apply to local emergency accounts which should be used sparingly.

Description

Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and functions on the firewall. A good best practice is to minimize the number of local accounts on network devices for use when the network is unavailable. The remaining administrator accounts are then defined and managed on the AAA server which often has more robust account management functions. If management of authorizations and privileges are not enforced, it is difficult to track and manage user authorizations and privileges; and there is an increased risk of misconfiguration. This requirement applies to account privileges and logical access authorizations which are managed and controlled by the firewall rather than the operating system or network authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG. This requirement does not apply to local emergency accounts which should be used sparingly.

STIG	Date
Firewall Security Requirements Guide	2012-12-10

Details

Check Text ( C-SRG-NET-000015-FW-000015_chk )
Verify access to each firewall is configured to enforce approved authorizations for login. If the firewall is not configured to enforce approved authorizations for logical access to each component in accordance with applicable policy, this is a finding.

Fix Text (F-SRG-NET-000015-FW-000015_fix)
Configure each firewall to enforce account privileges for logical access to the device. If an authentication server is used, special firewall application privileges and authorizations must either be configured in the authentication server or synchronized once configured on the firewall.