The network device must automatically disable accounts after a 35-day period of account inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-55041	SRG-APP-000025-NDM-000207	SV-69287r1_rule		Medium

Description
Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Inactive accounts could be reactivated or compromised by unauthorized users, allowing exploitation of vulnerabilities and undetected access to the network device. This control does not include emergency administration accounts, which are meant for access to the network device components in case of network failure.

Description

Since the accounts in the network device are privileged or system-level accounts, account management is vital to the security of the network device. Inactive accounts could be reactivated or compromised by unauthorized users, allowing exploitation of vulnerabilities and undetected access to the network device. This control does not include emergency administration accounts, which are meant for access to the network device components in case of network failure.

STIG	Date
Network Device Management Security Requirements Guide	2015-06-26

Details

Check Text ( C-55663r1_chk )
Review the network device configuration to determine if it automatically disables accounts after 35 days of inactivity or is configured to use an authentication server which would perform this function. If accounts are not automatically disabled after 35 days of inactivity, this is a finding.

Fix Text (F-59907r1_fix)
Configure the network device or its associated authentication server to automatically disable accounts after 35 days of inactivity.