Authorized accounts must be assigned the least privilege level necessary to perform assigned duties.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3057	NET0465	SV-15471r4_rule		Medium

Description
By not restricting authorized accounts to their proper privilege level, access to restricted functions may be allowed before authorized personell are trained or experienced enough to use those functions. Network disruptions or outages may occur due to mistakes made by inexperienced persons using accounts with greater privileges than necessary.

STIG	Date
Perimeter Router Security Technical Implementation Guide Cisco	2018-11-28

Details

Check Text ( C-12937r5_chk )
Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties. If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding. Below is an example of assigning a privilege level to a local user account and changing the default privilege level of the configure terminal command. username junior-engineer1 privilege 7 password xxxxxx privilege exec level 7 configure terminal The above example only covers local accounts. You will also need to check the accounts and their associated privilege levels configured in the authentication server. You can also use TACACS+ for even more granularity at the command level as shown in the following example: user = junior-engineer1 { password = clear "xxxxx" service = shell { set priv-lvl = 7 } }

Check Text ( C-12937r5_chk )

Review the accounts authorized for access to the network device. Determine if the accounts are assigned the lowest privilege level necessary to perform assigned duties. User accounts must be set to a specific privilege level which can be mapped to specific commands or a group of commands. Authorized accounts should have the least privilege level unless deemed necessary for assigned duties.

If it is determined that authorized accounts are assigned to greater privileges than necessary, this is a finding.

Below is an example of assigning a privilege level to a local user account and changing the default privilege level of the configure terminal command.

username junior-engineer1 privilege 7 password xxxxxx
privilege exec level 7 configure terminal

The above example only covers local accounts. You will also need to check the accounts and their associated privilege levels configured in the authentication server. You can also use TACACS+ for even more granularity at the command level as shown in the following example:

user = junior-engineer1 {
password = clear "xxxxx"
service = shell {
set priv-lvl = 7
}
}

Fix Text (F-3082r5_fix)
Configure authorized accounts with the least privilege rule. Each user will have access to only the privileges they require to perform their assigned duties.