UCF STIG Viewer Logo

The IDPS must automatically lock out an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34509 SRG-NET-000040-IDPS-00038 SV-45351r1_rule Medium
Description
The IDPS must delay the next login prompt using an organizationally defined delay algorithm when the maximum number of unsuccessful access attempts is exceeded. The system must automatically lock the account/node for an organizationally defined time period or lock the account/node until released by an administrator according to organizational policy. Locking out an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing. Usually, the configuration allows settings rather than one or the other.
STIG Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide 2012-11-19

Details

Check Text ( C-42701r1_chk )
Verify the setting for account lockout time release is set so the lockout remains in place for an organizationally defined time period or until a system administrator takes action to unlock the account.

If the account lockout time is not set to release after an organizationally defined time delay; or when the system administrator takes action to unlock the account, this is a finding.
Fix Text (F-38747r2_fix)
Configure the lockout time setting for accounts used for accessing IDPS. Configure the account lockout to release only when the administrator takes action to unlock the account, or for an organizationally defined time period.