The network device must be configured to dynamically manage administrative privileges and associated command authorizations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000014-NDM-000014	SRG-NET-000014-NDM-000014	SRG-NET-000014-NDM-000014_rule		Medium

Description
Dynamic privilege management includes immediate (i.e., not requiring users to terminate and restart the session to reflect changes in privileges) revocation or adjustment of privileges and authorizations. If the network device is not configured to dynamically manage account privileges and associated access authorizations to meet security policies, then changes in account privileges or command authorizations may not immediately take effect and unauthorized entities may gain access to the information.

Description

Dynamic privilege management includes immediate (i.e., not requiring users to terminate and restart the session to reflect changes in privileges) revocation or adjustment of privileges and authorizations. If the network device is not configured to dynamically manage account privileges and associated access authorizations to meet security policies, then changes in account privileges or command authorizations may not immediately take effect and unauthorized entities may gain access to the information.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000014-NDM-000014_chk )
Verify privileges and command authorizations are immediately (i.e., not requiring users to terminate and restart the session to reflect changes in privileges) revoked when changed. Test this functionality by making a change to the authorizations or privileges for an account while it is in an open session with the network device application. Verify the change has been implemented without the need for session restart. If changes to account privileges and access authorizations are not dynamically managed, this is a finding.

Check Text ( C-SRG-NET-000014-NDM-000014_chk )

Verify privileges and command authorizations are immediately (i.e., not requiring users to terminate and restart the session to reflect changes in privileges) revoked when changed.
Test this functionality by making a change to the authorizations or privileges for an account while it is in an open session with the network device application.
Verify the change has been implemented without the need for session restart.

If changes to account privileges and access authorizations are not dynamically managed, this is a finding.

Fix Text (F-SRG-NET-000014-NDM-000014_fix)
Configure the network device to use dynamic privilege management mechanisms to dynamically manage account privileges and associated access authorizations.