The IDPS must enforce the highest privilege level administrative access to enable or disable security policy filters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000021-IDPS-000045	SRG-NET-000021-IDPS-000045	SRG-NET-000021-IDPS-000045_rule		Medium

Description
The use of AAA affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege level. The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policy filters must require the highest privilege level. If system administrators cannot be configured with different security privileges, then need-to-know cannot be enforced.

Description

The use of AAA affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the IDPS in conjunction with an authentication server, the administrators can easily add, modify, or delete accounts as well as add or remove command authorizations and privilege levels. The use of an authentication server provides the capability to assign network administrators and engineers to tiered groups containing their associated or required privilege level. The IDPS must be configured to restrict management access according to the privilege level the user has been granted. Authorization to add, modify, or delete security policy filters must require the highest privilege level. If system administrators cannot be configured with different security privileges, then need-to-know cannot be enforced.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43163_chk )
Verify only authorized IDPS system administrators have accounts capable of enabling or disabling rules and signatures. If users who are not system administrators are permitted access to the sensors or other components, this is a finding. If audit or other restricted administrators have access to enable and disable rules and signatures, this is a finding.

Fix Text (F-43163_fix)
Remove non-privileged users from the groups and accounts with access to the IDPS.