| Finding ID |
Severity |
Title |
Description |
|
V-270233
|
High |
Microsoft Entra ID must be configured to use multifactor authentication (MFA). |
Without the use of MFA, the ease of access to privileged functions is greatly increased.
MFA requires the use of two or more factors to achieve authentication.
Factors include:
(i) Something a user knows (e.g., password/PIN);
(ii) Something a user has (e.g., cryptographic identification device, token); or
(iii) Something a... |
|
V-270475
|
Medium |
Microsoft Entra ID must, for password-based authentication, verify when users create or update passwords that the passwords are not found on the list of commonly used, expected, or compromised passwords. |
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length... |
|
V-270335
|
Medium |
Microsoft Entra ID must use Privileged Identity Management (PIM). |
Emergency accounts are administrator accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability.
Emergency... |
|
V-270255
|
Medium |
Microsoft Entra ID must notify system administrators (SAs) and the information system security officer (ISSO) when privileges are being requested. |
When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that... |
|
V-270239
|
Medium |
Microsoft Entra ID must enforce a 60-day maximum password lifetime restriction. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.
One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their... |
|
V-270227
|
Medium |
Microsoft Entra ID must be configured to transfer logs to another server for storage, analysis, and reporting. |
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps to ensure the audit records will be retained in the event of a... |
|
V-270209
|
Medium |
Microsoft Entra ID must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application. |
|
|
V-270208
|
Medium |
Microsoft Entra ID must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Satisfies: SRG-APP-000345 |
|
V-270204
|
Medium |
Microsoft Entra ID must automatically disable accounts after a 35-day period of account inactivity. |
|
|
V-270200
|
Medium |
Microsoft Entra ID must initiate a session lock after a 15-minute period of inactivity. |
Session locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Session locks can be implemented at the operating... |
