UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The network device must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-55113 SRG-APP-000163-NDM-000251 SV-69359r3_rule Medium
Description
Inactive identifiers pose a risk to network devices. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the device. Owners of inactive accounts may not notice if unauthorized access to their account has been obtained. Network devices need to track periods of inactivity and disable application identifiers after 35 days of inactivity. This control does not apply to the account of last resort or root account. DoD prohibits local user accounts on the device, except for an account of last resort and (where applicable) a root account.
STIG Date
Network Device Management Security Requirements Guide 2017-04-07

Details

Check Text ( C-55935r2_chk )
Determine if the network device disables identifiers after 35 days of inactivity for all local identifiers except for the account of last resort or root account. For non-local accounts, verify that the device is configured to use an authentication server.

If the network device does not have the capability to automatically disable or remove identifiers after 35 days of inactivity, this is a finding.
Fix Text (F-60179r2_fix)
Configure the network device or its associated authentication server to disable identifiers after 35 days of inactivity. For remote logon using the authentication server, configure this capability on the authentication server. Disable or remove unauthorized local identifiers, except for the account of last resort and the root account.