The firewall implementation must automatically lock an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-37079 | SRG-NET-000040-FW-000035 | SV-48840r1_rule | Medium |
| Description |
|---|
| The firewall implementation must automatically lock the account for an organizationally defined time period or until released by an administrator according to organizational policy. Locking an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing. When the maximum number of unsuccessful login attempts is exceeded the possible actions are as follows. (i) Lock the account for an organizationally defined time period then automatically unlock the account; (ii) Require the account be unlocked by manual administrator action; or (iii) Delay the next login prompt using an organizationally defined delay algorithm. |
| STIG | Date |
|---|---|
| Firewall Security Requirements Guide | 2013-04-24 |
Details
| Check Text ( C-45452r1_chk ) |
|---|
| Verify the setting for account lockout time release is set so the lockout remains in place for an organizationally defined time period or until a system administrator takes action to unlock the account. If the account lockout is not configured to release only when an administrator takes action to unlock the account or automatically after an organizationally defined time period, this is a finding. |
| Fix Text (F-42025r1_fix) |
|---|
| Configure the lockout time setting for accounts used for accessing the firewall. Configure the account lockout to release only when an administrator takes action to unlock the account or after an organizationally defined time period. |