The network device must automatically terminate emergency accounts after an organization defined time period.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000003-NDM-000003	SRG-NET-000003-NDM-000003	SRG-NET-000003-NDM-000003_rule		Low

Description
Emergency accounts are established in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts are not to be confused with infrequently used accounts (e.g., local login accounts used when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If these accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the network device since these accounts have elevated privileges. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation. This control does not include emergency administration accounts which are meant for access to the network device components in case of network failure. These accounts must not be automatically disabled. This requirement is applicable to emergency accounts created or managed using the network device application itself rather than the underlying OS or an authentication server. Accounts created and maintained on an authentication server (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.

Description

Emergency accounts are established in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts are not to be confused with infrequently used accounts (e.g., local login accounts used when network resources are unavailable). Such accounts remain available and are not subject to automatic termination dates. If these accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the network device since these accounts have elevated privileges. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation. This control does not include emergency administration accounts which are meant for access to the network device components in case of network failure. These accounts must not be automatically disabled. This requirement is applicable to emergency accounts created or managed using the network device application itself rather than the underlying OS or an authentication server. Accounts created and maintained on an authentication server (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000003-NDM-000003_chk )
If the site's security plan does not permit the use of emergency accounts for access to the network device, this is not a finding. Review the network device to ensure the system is configured to automatically terminate emergency accounts after an organizationally defined time period. If the network device components do not automatically terminate emergency accounts after an organizationally defined time period, this is a finding.

Check Text ( C-SRG-NET-000003-NDM-000003_chk )

If the site's security plan does not permit the use of emergency accounts for access to the network device, this is not a finding.

Review the network device to ensure the system is configured to automatically terminate emergency accounts after an organizationally defined time period.

If the network device components do not automatically terminate emergency accounts after an organizationally defined time period, this is a finding.

Fix Text (F-SRG-NET-000003-NDM-000003_fix)
Configure the network device to automatically terminate emergency accounts after an organizationally defined time period.