The IAO/NSO will ensure each user accessing the device locally have their own account with username and password.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3056	NET0460	SV-3056r9_rule	IAIA-1 IAIA-2	High

Description
Without passwords on user accounts, one level of complexity is removed from gaining access to the network device. If a default userid has not been changed or is guessed by an attacker, the network could be easily compromised as the only remaining step would be to crack the password. Sharing group accounts on any device is strictly prohibited. If these group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.

Description

Without passwords on user accounts, one level of complexity is removed from gaining access to the network device. If a default userid has not been changed or is guessed by an attacker, the network could be easily compromised as the only remaining step would be to crack the password. Sharing group accounts on any device is strictly prohibited. If these group accounts are not changed when someone leaves the group, that person could possibly gain control of the network device. Having group accounts does not allow for proper auditing of who is accessing or changing the network.

STIG	Date
WLAN Bridge Security Technical Implementation Guide	2011-10-10

Details

Check Text ( C-3503r2_chk )
Review configuration for local accounts. If an authentication server is being used, examine those accounts with access to the device.

Fix Text (F-3081r3_fix)
The SA will ensure that all user accounts without passwords are removed. The administrator will ensure that individual user accounts are created for each authorized administrator. The IAO will ensure that any group or duplicate account will be removed.