The network device must provide automated support for account management functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-55037	SRG-APP-000023-NDM-000205	SV-69283r1_rule		Medium

Description
Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The network device must be configured to automatically provide account management functions, and these functions must immediately enforce the organization's current account policy. All accounts used for access to the network device are privileged or system-level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. This control does not include emergency administration accounts that provide access to the network device components in case of network failure. There must be only one such locally defined account. All other accounts must be defined. All other accounts must be created and managed on the site's authentication server (e.g., RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the network device application. If the function is provided by the underlying OS or an authentication server, it must be secured using the applicable security guide or STIG.

Description

Account management functions include: assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The network device must be configured to automatically provide account management functions, and these functions must immediately enforce the organization's current account policy. All accounts used for access to the network device are privileged or system-level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. This control does not include emergency administration accounts that provide access to the network device components in case of network failure. There must be only one such locally defined account. All other accounts must be defined. All other accounts must be created and managed on the site's authentication server (e.g., RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the network device application. If the function is provided by the underlying OS or an authentication server, it must be secured using the applicable security guide or STIG.

STIG	Date
Network Device Management Security Requirements Guide	2015-06-26

Details

Check Text ( C-55659r1_chk )
Review the network device configuration to determine if it provides automated account management or uses an authentication server that provides the automated account management. If it does not provide automated account management or use an authentication server to provide automated account management, this is a finding.

Fix Text (F-59903r1_fix)
Configure the network device to provide automated account management or use an authentication server that provides automated account management.