Default passwords are not changed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17687	RTS-VTC 2020.00	SV-18861r1_rule	DCBP-1 ECSC-1 IAIA-1 IAIA-2	High

Description
DoDI 8500.2 IA controls IAIA-1 and IAIA-2 state, in part: “Ensure all factory set, default, standard or well-known user-IDs and passwords are removed or changed.” Factory default, well-known, and/or manufacturer backdoor accounts and their associated passwords provide easy unauthorized access to system/device. Leaving such accounts and passwords active on a system/device makes it extremely vulnerable to attack and/or other unauthorized access. As such, they need to be removed, changed, renamed, or otherwise disabled. Also covered by this policy are “community strings”, which act as passwords for monitoring and management of network devices and attached systems via SNMP. The universal default SNMP community strings are “public” and private” and are well known. Default access for VTC operation, local and remote control, and management/configuration purposes is typically unrestricted or minimally protected by well known and well published default passwords. It has been demonstrated that not changing these passwords is the most common cause of VTC system compromise.

Description

DoDI 8500.2 IA controls IAIA-1 and IAIA-2 state, in part: “Ensure all factory set, default, standard or well-known user-IDs and passwords are removed or changed.” Factory default, well-known, and/or manufacturer backdoor accounts and their associated passwords provide easy unauthorized access to system/device. Leaving such accounts and passwords active on a system/device makes it extremely vulnerable to attack and/or other unauthorized access. As such, they need to be removed, changed, renamed, or otherwise disabled. Also covered by this policy are “community strings”, which act as passwords for monitoring and management of network devices and attached systems via SNMP. The universal default SNMP community strings are “public” and private” and are well known. Default access for VTC operation, local and remote control, and management/configuration purposes is typically unrestricted or minimally protected by well known and well published default passwords. It has been demonstrated that not changing these passwords is the most common cause of VTC system compromise.

STIG	Date
Video Services Policy STIG	2014-06-26

Details

Check Text ( C-18957r1_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure all default/factory passwords and SNMP community strings are changed or replaced prior to the VTU being placed into service Note: New passwords will be in compliance with the individual password requirements defined in this document. Note: During APL testing, this is a finding in the event default passwords cannot be changed on VTC/VTU. Have the IAO or SA demonstrate logging onto the VTU via local and remote access methods. Look for the use of the following typical default passwords: “TANDBERG”, the serial number, “admin”, 1234, none, etc.

Check Text ( C-18957r1_chk )

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure all default/factory passwords and SNMP community strings are changed or replaced prior to the VTU being placed into service

Note: New passwords will be in compliance with the individual password requirements defined in this document.
Note: During APL testing, this is a finding in the event default passwords cannot be changed on VTC/VTU.

Have the IAO or SA demonstrate logging onto the VTU via local and remote access methods. Look for the use of the following typical default passwords: “TANDBERG”, the serial number, “admin”, 1234, none, etc.

Fix Text (F-17584r1_fix)
[IP][ISDN]; Perform the following tasks: Change all system passwords to non-default settings before placing the VTU into service.