The IDPS must enforce approved authorizations for logical access to IDPS components in accordance with applicable policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34481	SRG-NET-000015-IDPS-00015	SV-45256r1_rule		Medium

Description
Depending on the implementation, accounts used for administrator access to the IDPS components may be defined in the management console, sensor application, sensor operating system, or the network authentication server. In some systems the account is created on the authentication server; however, privileges for the IDPS are assigned and managed from the IDPS console. Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and functions on the IDPS. A good best practice is to allow emergency and required accounts on the IDPS components. Remaining administrator accounts are then defined on an authentication, authorization, and accounting (AAA) server. By configuring the IDPS to collaborate with an authentication server, it can enforce the appropriate authorization for each administrator. If management of authorizations and privileges are not enforced, it is difficult to track and manage user authorizations and privileges; and there is an increased risk of misconfiguration. This requirement applies to account privileges and logical access which are managed and controlled by the IDPS rather than the operating system or network authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG. Security for the operating system or authentication server accounts is beyond the scope of this security guide. This requirement does not apply to local emergency accounts which should be used sparingly.

Description

Depending on the implementation, accounts used for administrator access to the IDPS components may be defined in the management console, sensor application, sensor operating system, or the network authentication server. In some systems the account is created on the authentication server; however, privileges for the IDPS are assigned and managed from the IDPS console. Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and functions on the IDPS. A good best practice is to allow emergency and required accounts on the IDPS components. Remaining administrator accounts are then defined on an authentication, authorization, and accounting (AAA) server. By configuring the IDPS to collaborate with an authentication server, it can enforce the appropriate authorization for each administrator. If management of authorizations and privileges are not enforced, it is difficult to track and manage user authorizations and privileges; and there is an increased risk of misconfiguration. This requirement applies to account privileges and logical access which are managed and controlled by the IDPS rather than the operating system or network authentication server. Accounts created and maintained on AAA devices (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG. Security for the operating system or authentication server accounts is beyond the scope of this security guide. This requirement does not apply to local emergency accounts which should be used sparingly.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42603r1_chk )
Verify access to each IDPS component is configured to enforce approved authorizations for logon. If IDPS components are not configured to enforce approved authorizations for logical access to each component in accordance with applicable policy, this is a finding.

Fix Text (F-38652r1_fix)
Configure each IDPS component to enforce account privileges for logical access to the device. If an authentication server is used, special IDPS application privileges and authorizations must either be configured in the authentication server or synchronized once configured on the IDPS.