The MDM server must automatically disable inactive administrator accounts after an organization defined time period.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36007	SRG-APP-025-MDM-002-SRV	SV-47396r1_rule		High

Description
Users are often the first line of defense within an application. Account management and distribution is vital to the security of the application. If an attacker compromises an account, the entire MDM server infrastructure, including the mobile devices on the network, are at risk. Authentication for user or administrative access to the system is required at all times. Inactive accounts could be reactivated or compromised by unauthorized users allowing them to exploit vulnerabilities and maintain undetected access to the system. There is always a risk for inactive accounts to be reactivated or compromised by unauthorized users who could then gain full control of the device; thereby enabling them to trigger a Denial of Service, intercept sensitive information, or disrupt the MDM server.

Description

Users are often the first line of defense within an application. Account management and distribution is vital to the security of the application. If an attacker compromises an account, the entire MDM server infrastructure, including the mobile devices on the network, are at risk. Authentication for user or administrative access to the system is required at all times. Inactive accounts could be reactivated or compromised by unauthorized users allowing them to exploit vulnerabilities and maintain undetected access to the system. There is always a risk for inactive accounts to be reactivated or compromised by unauthorized users who could then gain full control of the device; thereby enabling them to trigger a Denial of Service, intercept sensitive information, or disrupt the MDM server.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44246r1_chk )
Review the MDM server configuration to determine whether an inactive administrator account can automatically be disabled after a set period of time. If the duration is not set in accordance to the organization's policy, this is a finding.

Fix Text (F-40537r1_fix)
Configure the MDM server to automatically disable an inactive administrator account after a set period of time.