The firewall implementation must provide automated support for account management functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-37035	SRG-NET-000001-FW-000001	SV-48796r1_rule		Low

Description
Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The firewall implementation must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. All accounts used for access to the firewall are privileged or system level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. This control does not include infrequently used accounts which provide access to the firewall components in case of network failure. There must be only one such locally defined account. (SRG-NET-999999-FW-000175) All other accounts must be defined. All other accounts must be created and managed on the site's authentication server (e.g., AAA server such as RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the firewall application. If the function is provided by the underlying OS or an authentication server, it must be secured using the applicable security guide or STIG.

Description

Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The firewall implementation must be configured to automatically provide account management functions and these functions must immediately enforce the organization's current account policy. All accounts used for access to the firewall are privileged or system level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. This control does not include infrequently used accounts which provide access to the firewall components in case of network failure. There must be only one such locally defined account. (SRG-NET-999999-FW-000175) All other accounts must be defined. All other accounts must be created and managed on the site's authentication server (e.g., AAA server such as RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the firewall application. If the function is provided by the underlying OS or an authentication server, it must be secured using the applicable security guide or STIG.

STIG	Date
Firewall Security Requirements Guide	2013-04-24

Details

Check Text ( C-45328r1_chk )
Verify account management functions for the firewall implementation are implemented using automated account management functions. Verify account management functions include the following capabilities: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. If the firewall implementation does not provide automated support for account management functions, this is a finding.

Check Text ( C-45328r1_chk )

Verify account management functions for the firewall implementation are implemented using automated account management functions.
Verify account management functions include the following capabilities: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts.

If the firewall implementation does not provide automated support for account management functions, this is a finding.

Fix Text (F-41894r1_fix)
Enable the firewall implementation for automated support of account management functions for accounts used to administer and configure the firewall implementation application.