UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000143-FW-000087 SRG-NET-000143-FW-000087 SRG-NET-000143-FW-000087_rule Medium
Description
To assure individual accountability and prevent unauthorized access, organizational users (and any processes acting on behalf of users) must be individually identified and authenticated. Sharing group accounts on any device is prohibited. If group accounts are not changed when individuals leave the group, that person could gain control of the network device. However, there are times when these shared accounts are deemed mission essential. The security architecture of the firewall and any installed applications must allow use of an individual authenticator (e.g., AAA server or Active Directory authentication) prior to using individual authentications. Group authenticators must be necessary for the operation of the system.
STIG Date
Firewall Security Requirements Guide 2012-12-10

Details

Check Text ( C-SRG-NET-000143-FW-000087_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding.

Review the firewall account management configuration and settings to determine if all individuals authorized access to the system have an individual account and that account is required to gain access to the system prior to the use of a group account.

If group authentication does not require prior individual authentication, this is a finding.
Fix Text (F-SRG-NET-000143-FW-000087_fix)
Configure the firewall implementation to require individuals to authenticate with an individual authenticator prior to using a group authenticator.