The MDM server, when the maximum number of unsuccessful attempts is exceeded, must automatically lock the account for an organization defined time period or must lock the account until released by an administrator IAW organizational policy.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-36010 | SRG-APP-067-MDM-005-SRV | SV-47399r1_rule | High |
| Description |
|---|
| One of the most prevalent ways an attacker tries to gain access to a system is by repeatedly trying to access an account and guessing a password. To reduce the risk of malicious access attempts being successful, the MDM server must define and limit the number of times a user account may consecutively fail a login attempt within a defined time period, and subsequently lock that account when the maximum numbers have been reached. By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attack, is reduced. |
| STIG | Date |
|---|---|
| Mobile Device Manager Security Requirements Guide | 2013-01-24 |
Details
| Check Text ( C-44249r1_chk ) |
|---|
| Review the MDM server configuration to determine whether an account can be locked after the organization's defined number of unsuccessful attempts has been reached. If this cannot be set or is set to something other than the organization's policy, this is a finding. |
| Fix Text (F-40540r1_fix) |
|---|
| Configure the MDM server to lock accounts when the maximum number of unsuccessful attempts is exceeded. |