In the event the authentication server is unavailable, there must be one local account created for emergency administration use.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-64001 | SRG-APP-000148-NDM-000346 | SV-78491r1_rule | Medium |
| Description |
|---|
| Authentication for administrative (privileged level) access to the device is required at all times. An account can be created on the device's local database for use in an emergency, such as when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is also referred to as the account of last resort since the emergency administration account is strictly intended to be used only as a last resort and immediate administrative access is absolutely necessary. The number of emergency administration accounts is restricted to at least one, but no more than operationally required as determined by the ISSO. The emergency administration account logon credentials must be stored in a sealed envelope and kept in a safe. |
| STIG | Date |
|---|---|
| Network Device Management Security Requirements Guide | 2017-04-07 |
Details
| Check Text ( C-64753r1_chk ) |
|---|
| Review the network device configuration to determine if an authentication server is defined for gaining administrative access. If so, there must be one account configured locally for an emergency. Verify the username and password for the emergency account is contained within a sealed envelope kept in a safe. |
| Fix Text (F-69931r1_fix) |
|---|
| Configure the device to only allow one local account for emergency administrative access. |