The maximum number of unsuccessful login attempts must be set to an organizationally defined value.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000038-IDPS-000058 | SRG-NET-000038-IDPS-000058 | SRG-NET-000038-IDPS-000058_rule | Medium |
| Description |
|---|
| A malicious or unauthorized user could gain access to an IDPS by guessing or using methods such as dictionary attack, word list substitution, or brute force attack-all of which require multiple login attempts. By limiting the number of failed login attempts within a defined period of time, the risk of unauthorized system access via user password guessing can be mitigated. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43186_chk ) |
|---|
| View the authentication retry setting. Verify the authentication retry attempts is set to an organizationally defined value. If the login attempts value is not set to an organizationally defined value, this is a finding. |
| Fix Text (F-43186_fix) |
|---|
| Set the number of unsuccessful login attempts to an organizationally defined value. |