The network device must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000015-NDM-000015	SRG-NET-000015-NDM-000015	SRG-NET-000015-NDM-000015_rule		High

Description
Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and functions on the network device. A good best practice is to minimize the number of local accounts on network devices for use when the network is unavailable. The remaining administrator accounts are then defined and managed on the AAA server, which often has more robust account management functions. If management of authorizations and privileges are not enforced, it is difficult to track and manage user authorizations and privileges; and there is an increased risk of misconfiguration. Authorizations for user accounts used to access network devices should be centralized to the AAA server even when the authorization is configured in the network device application. If an authentication server is used, special network device application privileges and authorizations must either be configured in the authentication server or synchronized once configured on the network device. This requirement applies to logical access authorizations for user accounts which are managed and controlled using the network device application rather than the operating system or network authentication server. Accounts created and maintained on authentication servers (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG. This requirement does not apply to local emergency accounts or system accounts.

Description

Enforcement of approved authorizations for access control allows granularity of privilege assignments for each administrator and ensures only authorized users have access to certain commands and functions on the network device. A good best practice is to minimize the number of local accounts on network devices for use when the network is unavailable. The remaining administrator accounts are then defined and managed on the AAA server, which often has more robust account management functions. If management of authorizations and privileges are not enforced, it is difficult to track and manage user authorizations and privileges; and there is an increased risk of misconfiguration. Authorizations for user accounts used to access network devices should be centralized to the AAA server even when the authorization is configured in the network device application. If an authentication server is used, special network device application privileges and authorizations must either be configured in the authentication server or synchronized once configured on the network device. This requirement applies to logical access authorizations for user accounts which are managed and controlled using the network device application rather than the operating system or network authentication server. Accounts created and maintained on authentication servers (e.g., RADIUS, LDAP, or Active Directory) are secured using the applicable security guide or STIG. This requirement does not apply to local emergency accounts or system accounts.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000015-NDM-000015_chk )
Verify access to information and system resources for each network device is restricted based on a properly configured access control policy. If the network device is not configured to enforce approved authorizations for logical access to each component in accordance with applicable access control policy, this is a finding.

Fix Text (F-SRG-NET-000015-NDM-000015_fix)
Configure the network device to enforce account privileges for logical access to the network device information and system resources in accordance with access control policy.