UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device must automatically remove or disable emergency accounts after 72 hours.


Overview

Finding ID Version Rule ID IA Controls Severity
V-55175 SRG-APP-000234-NDM-000272 SV-69421r1_rule Medium
Description
Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If emergency accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the network device since these accounts have elevated privileges. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation. Emergency accounts are different from infrequently used accounts (i.e., local login accounts used by network administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency account is normally a different account which is created for use by vendors or system maintainers.
STIG Date
Network Device Management Security Requirements Guide 2015-06-26

Details

Check Text ( C-55795r1_chk )
Review the network device configuration to determine if it automatically disables or removes emergency accounts after 72 hours or is configured to use an authentication server which would perform this function. If the use of emergency accounts is prohibited, this is not a finding. If the network device or its associated authentication server does not automatically disable or remove emergency accounts after 72 hours, this is a finding.
Fix Text (F-60039r1_fix)
Configure the network device or its associated authentication server to automatically disable or remove emergency accounts after 72 hours. An acceptable method would be to place an expiration date on the account upon creation.