The network device must provide the capability for a privileged administrator to configure the organizationally defined security policy filters to support different security policies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000022-NDM-000021	SRG-NET-000022-NDM-000021	SRG-NET-000022-NDM-000021_rule		Medium

Description
The network device must be configured to restrict management access according to the privilege level the user has been granted. Authorization to configure security policies requires the highest privilege level. Authorization of user accounts is usually performed using the authentication server; however, on some network devices, this is done on the device itself, regardless of where the account resides. The access control configuration must provide the capability to assign network device administrators to tiered groups containing required privilege levels. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.

Description

The network device must be configured to restrict management access according to the privilege level the user has been granted. Authorization to configure security policies requires the highest privilege level. Authorization of user accounts is usually performed using the authentication server; however, on some network devices, this is done on the device itself, regardless of where the account resides. The access control configuration must provide the capability to assign network device administrators to tiered groups containing required privilege levels. If system administrators cannot be configured with different security policy filters, then need-to-know cannot be enforced.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000022-NDM-000021_chk )
Verify the network device provides the system administrators the ability to configure security policy filters (e.g., creating groups with different authorizations and privileges). Verify the system has the capability to assign security levels to groups and individual users as needed. If the network device does not provide the capability to configure security policy filters, this is a finding.

Fix Text (F-SRG-NET-000022-NDM-000021_fix)
Create security policy filters by creating security groups or use pre-existing groups. Assign privileges to each group based on varying need-for-access. Assign system administrators as group members to each group based on level of access required.