Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
SRG-NET-000143-FW-000087 | SRG-NET-000143-FW-000087 | SRG-NET-000143-FW-000087_rule | Medium |
Description |
---|
To assure individual accountability and prevent unauthorized access, organizational users (and any processes acting on behalf of users) must be individually identified and authenticated. Sharing group accounts on any device is prohibited. If group accounts are not changed when individuals leave the group, that person could gain control of the network device. However, there are times when these shared accounts are deemed mission essential. The security architecture of the firewall and any installed applications must allow use of an individual authenticator (e.g., AAA server or Active Directory authentication) prior to using individual authentications. Group authenticators must be necessary for the operation of the system. |
STIG | Date |
---|---|
Firewall Security Requirements Guide | 2012-12-10 |
Check Text ( C-SRG-NET-000143-FW-000087_chk ) |
---|
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the firewall application itself, this is not a finding. Review the firewall account management configuration and settings to determine if all individuals authorized access to the system have an individual account and that account is required to gain access to the system prior to the use of a group account. If group authentication does not require prior individual authentication, this is a finding. |
Fix Text (F-SRG-NET-000143-FW-000087_fix) |
---|
Configure the firewall implementation to require individuals to authenticate with an individual authenticator prior to using a group authenticator. |