The network device must support the organizational requirement to ensure individuals are authenticated with an individual authenticator prior to using a group authenticator.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000143-NDM-000104	SRG-NET-000143-NDM-000104	SRG-NET-000143-NDM-000104_rule		Medium

Description
To assure individual accountability and prevent unauthorized access, organizational users (and any processes acting on behalf of users) must be individually identified and authenticated. Sharing group accounts on any device is prohibited. If group accounts are not changed when individuals leave the group, that person could gain control of the network device. However, there are times when these shared accounts are deemed mission essential. The security architecture of the network device and any installed applications must allow use of an individual authenticator (e.g., AAA server or Active Directory authentication) prior to using individual authentications. Group authenticators must be necessary for the operation of the system.

Description

To assure individual accountability and prevent unauthorized access, organizational users (and any processes acting on behalf of users) must be individually identified and authenticated. Sharing group accounts on any device is prohibited. If group accounts are not changed when individuals leave the group, that person could gain control of the network device. However, there are times when these shared accounts are deemed mission essential. The security architecture of the network device and any installed applications must allow use of an individual authenticator (e.g., AAA server or Active Directory authentication) prior to using individual authentications. Group authenticators must be necessary for the operation of the system.

STIG	Date
Network Device Management Security Requirements Guide	2013-07-30

Details

Check Text ( C-SRG-NET-000143-NDM-000104_chk )
If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the network device application itself, this is not a finding. Review the network device account management configuration and settings to determine if all individuals authorized access to the system have an individual account and that account is required to gain access to the system prior to the use of a group account. If group authentication does not require prior individual authentication, this is a finding.

Check Text ( C-SRG-NET-000143-NDM-000104_chk )

If authentication functionality is provided by the underlying platform's account management system or by a network authentication server rather than the network device application itself, this is not a finding.

Review the network device account management configuration and settings to determine if all individuals authorized access to the system have an individual account and that account is required to gain access to the system prior to the use of a group account.

If group authentication does not require prior individual authentication, this is a finding.

Fix Text (F-SRG-NET-000143-NDM-000104_fix)
Configure the network device to require individuals to authenticate with an individual authenticator prior to using a group authenticator.