The network device must use multifactor authentication for network access to privileged accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000139-NDM-000102	SRG-NET-000139-NDM-000102	SRG-NET-000139-NDM-000102_rule		Medium

Description
Multifactor authentication uses two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). A privileged account is defined as: An information system account with authorizations of a privileged user. Network Access is defined as: Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). Multifactor authentication provides strong protection for authentication mechanisms. Without a strong authentication method, the system is more easily breached by standard access control attacks.

Description

Multifactor authentication uses two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). A privileged account is defined as: An information system account with authorizations of a privileged user. Network Access is defined as: Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet). Multifactor authentication provides strong protection for authentication mechanisms. Without a strong authentication method, the system is more easily breached by standard access control attacks.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000139-NDM-000102_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the network device application itself, this is not a finding. Verify the configuration for the network device requires access by multifactor authentication mechanisms (e.g., PKI, or DoD Alternate Token). If multifactor authentication is not used for network access to privileged accounts, this is a finding.

Check Text ( C-SRG-NET-000139-NDM-000102_chk )

If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the network device application itself, this is not a finding.

Verify the configuration for the network device requires access by multifactor authentication mechanisms (e.g., PKI, or DoD Alternate Token).

If multifactor authentication is not used for network access to privileged accounts, this is a finding.

Fix Text (F-SRG-NET-000139-NDM-000102_fix)
Configure all accounts accessing the network device to use multifactor authentication (e.g., PKI or DoD Alternate Token).