The network device or authentication server must automatically remove or disable emergency accounts, except the emergency administration account, after 72 hours.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-55175	SRG-APP-000234-NDM-000272	SV-69421r3_rule		Medium

Description
Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If emergency accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the network device since these accounts have elevated privileges. To mitigate this risk, automated termination of these accounts must be set upon account creation. It is important to note the difference between emergency accounts and the emergency administration account. The emergency administration account, also known as the account of last resort, is an infrequently used account used by network administrators only when network or normal logon/access is not available. The emergency administration account is not subject to automatic termination dates. The emergency administration account must never be automatically removed or disabled. If the emergency accounts are configured on the device, this requirement applies to the device. If the emergency accounts are configured on an authentication server, this requirement applies to the authentication server.

Description

Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If emergency accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the network device since these accounts have elevated privileges. To mitigate this risk, automated termination of these accounts must be set upon account creation. It is important to note the difference between emergency accounts and the emergency administration account. The emergency administration account, also known as the account of last resort, is an infrequently used account used by network administrators only when network or normal logon/access is not available. The emergency administration account is not subject to automatic termination dates. The emergency administration account must never be automatically removed or disabled. If the emergency accounts are configured on the device, this requirement applies to the device. If the emergency accounts are configured on an authentication server, this requirement applies to the authentication server.

STIG	Date
Network Device Management Security Requirements Guide	2016-07-07

Details

Check Text ( C-55795r4_chk )
Review the network device configuration to determine if it automatically disables or removes emergency accounts, except the emergency administration account, after 72 hours or is configured to use an authentication server which would perform this function. If the use of emergency accounts is prohibited, this is not a finding. If the network device or its associated authentication server does not automatically disable or remove emergency accounts, except the emergency administration account, after 72 hours, this is a finding.

Check Text ( C-55795r4_chk )

Review the network device configuration to determine if it automatically disables or removes emergency accounts, except the emergency administration account, after 72 hours or is configured to use an authentication server which would perform this function. If the use of emergency accounts is prohibited, this is not a finding. If the network device or its associated authentication server does not automatically disable or remove emergency accounts, except the emergency administration account, after 72 hours, this is a finding.

Fix Text (F-60039r3_fix)
Configure the network device or its associated authentication server to automatically disable or remove emergency accounts, except the emergency administration account, after 72 hours. An acceptable method would be to place an expiration date on the accounts upon creation.