Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17689 | RTS-VTC 2024.00 | SV-18863r4_rule | Medium |
Description |
---|
DoD policy mandates the use of strong passwords. The minimum password length is 15 characters. The minimum password complexity when not using DoD PKI is at least one lowercase letter, one uppercase letter, one number, and one special character must be present in the password. When a password is changed, at least half the characters in the password must change; for a 15-character password this mandates eight positions, and for a four-digit PIN at least two numbers would change. While videoconferencing endpoints typically do not require a username, they do require a password for user access and authentication. The strength of these passwords is an issue for video endpoints and is dependent upon the method of entry. Strong passwords, along with other measures noted in DoD policy, are required for any access method that is received by the video endpoint across a network. This is because of the potential that a password could be broken by a variety of high-speed cracking attacks. Due to the inability to use letters, PINs are very weak passwords. Typically, a local video endpoint PIN entered from a hand-held remote control can support five or more characters. |
STIG | Date |
---|---|
Video Services Policy STIG | 2017-04-06 |
Check Text ( C-18959r3_chk ) |
---|
Review site documentation to confirm a policy and procedure requires the videoconferencing system and components to have passwords meeting complexity or strength policy, as follows: - PINs entered into a local video endpoint from a hand-held remote control must contain at least six digits. - PINs entered into a remote video endpoint from a hand-held remote control must contain at least nine digits. - Passwords entered from a keyboard must contain at least at least 15 characters with at least one lowercase letter, one uppercase letter, one number, and one special character. - Passwords and PINs must be encrypted per DoD standards. If the videoconferencing system and components do not have passwords meeting complexity or strength policy, this is a finding. |
Fix Text (F-17586r3_fix) |
---|
Implement videoconferencing system and components passwords to meet complexity and strength policy. |