The IDPS must automatically lock out an account after the maximum number of unsuccessful login attempts are exceeded and remain locked until released by an administrator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000040-IDPS-000059 | SRG-NET-000040-IDPS-000059 | SRG-NET-000040-IDPS-000059_rule | Medium |
| Description |
|---|
| Locking out an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43187_chk ) |
|---|
| Verify the setting for account lockout time release is set so the lockout remain in place until a system administrator takes action to unlock the account. If the account lockout time is not set to release only when the system administrator takes action to unlock the account, this is a finding. |
| Fix Text (F-43187_fix) |
|---|
| Enable the setting or lockout time for administrator accounts used for accessing IDPS. Configure the account lockout to release only when the administrator takes action to unlock the account. |