The IDPS must be configured to dynamically manage account privileges and associated access authorizations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34476	SRG-NET-000014-IDPS-00014	SV-45239r1_rule		Medium

Description
In contrast to conventional access control methods which use static information system accounts and predefined sets of account privileges, dynamic access control approaches (e.g., service-oriented architectures) rely on run time access control decisions facilitated by dynamic privilege management. While account identities may remain relatively constant over time, account privileges may change more frequently based on ongoing mission/business requirements and operational needs of organizations. Dynamic privilege management includes immediate revocation of privileges (not requiring users terminate and restart the session to reflect changes in privileges). Dynamic privilege management can also refer to mechanisms that change the privileges of users based on dynamic rules, rather than the editing of specific user profiles. Other mechanisms include making automatic adjustments to privileges if accounts are operating out of normal work times, if information systems are under duress, or in emergency maintenance situations. If the IDPS is not configured to dynamically manage account privileges and associated access authorizations to meet security policies, then unauthorized entities may gain access to the information.

Description

In contrast to conventional access control methods which use static information system accounts and predefined sets of account privileges, dynamic access control approaches (e.g., service-oriented architectures) rely on run time access control decisions facilitated by dynamic privilege management. While account identities may remain relatively constant over time, account privileges may change more frequently based on ongoing mission/business requirements and operational needs of organizations. Dynamic privilege management includes immediate revocation of privileges (not requiring users terminate and restart the session to reflect changes in privileges). Dynamic privilege management can also refer to mechanisms that change the privileges of users based on dynamic rules, rather than the editing of specific user profiles. Other mechanisms include making automatic adjustments to privileges if accounts are operating out of normal work times, if information systems are under duress, or in emergency maintenance situations. If the IDPS is not configured to dynamically manage account privileges and associated access authorizations to meet security policies, then unauthorized entities may gain access to the information.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42588r1_chk )
Verify changes to account privileges are configured to dynamically manage account privileges and associated access authorizations. If changes to account privileges are not dynamically updated, this is a finding.

Fix Text (F-38635r1_fix)
Configure the IDPS to use dynamic privilege management mechanisms. Employ these mechanisms to automatically adjust changes to account privileges and take immediate effect without the need for restarting the session.