Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The IDPS must automatically lock out an account after the maximum number of unsuccessful login attempts are exceeded and remain locked for an organizationally defined time period or until released by an administrator.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34509 | SRG-NET-000040-IDPS-00038 | SV-45351r1_rule | Medium |
| Description |
|---|
| The IDPS must delay the next login prompt using an organizationally defined delay algorithm when the maximum number of unsuccessful access attempts is exceeded. The system must automatically lock the account/node for an organizationally defined time period or lock the account/node until released by an administrator according to organizational policy. Locking out an account after a maximum number of unsuccessful login attempts are exceeded will reduce the risk of unauthorized system access via password guessing. Usually, the configuration allows settings rather than one or the other. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-42701r1_chk ) |
|---|
| Verify the setting for account lockout time release is set so the lockout remains in place for an organizationally defined time period or until a system administrator takes action to unlock the account. If the account lockout time is not set to release after an organizationally defined time delay; or when the system administrator takes action to unlock the account, this is a finding. |
| Fix Text (F-38747r2_fix) |
|---|
| Configure the lockout time setting for accounts used for accessing IDPS. Configure the account lockout to release only when the administrator takes action to unlock the account, or for an organizationally defined time period. |