UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must automatically lock an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.


Overview

Finding ID Version Rule ID IA Controls Severity
V-37079 SRG-NET-000040-FW-000035 SV-48840r1_rule Medium
Description
The firewall implementation must automatically lock the account for an organizationally defined time period or until released by an administrator according to organizational policy. Locking an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing. When the maximum number of unsuccessful login attempts is exceeded the possible actions are as follows. (i) Lock the account for an organizationally defined time period then automatically unlock the account; (ii) Require the account be unlocked by manual administrator action; or (iii) Delay the next login prompt using an organizationally defined delay algorithm.
STIG Date
Firewall Security Requirements Guide 2013-04-24

Details

Check Text ( C-45452r1_chk )
Verify the setting for account lockout time release is set so the lockout remains in place for an organizationally defined time period or until a system administrator takes action to unlock the account.

If the account lockout is not configured to release only when an administrator takes action to unlock the account or automatically after an organizationally defined time period, this is a finding.
Fix Text (F-42025r1_fix)
Configure the lockout time setting for accounts used for accessing the firewall. Configure the account lockout to release only when an administrator takes action to unlock the account or after an organizationally defined time period.