UCF STIG Viewer Logo

The IDPS must enforce the organizationally defined time period during which the limit of consecutive invalid access attempts by a user is counted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34508 SRG-NET-000039-IDPS-00037 SV-45350r1_rule Medium
Description
One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. To reduce the risk of malicious access attempts being successful, the IDPS implementation must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period, and subsequently lock that account when the maximum number has been reached. By limiting the number of failed login attempts within a specified time period, the risk of unauthorized system access via user password guessing, otherwise known as brute force attack, is reduced.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-42700r2_chk )
Verify the IDPS is configured to enforce the organizationally defined time period during which the limit of consecutive invalid access attempts by a user is counted.

If the IDPS is not configured with an organizationally defined time period during which the number of consecutive invalid access attempts is counted, this is a finding.
Fix Text (F-38746r2_fix)
Configure the IDPS to count the number of consecutive failed access attempts occurring during an organizationally defined time period.