STIGQter STIGQter: STIG Summary: Video Services Policy STIG Version: 1 Release: 11 Benchmark Date: 24 Apr 2020:

Classified videoconferencing systems must authenticate with a unique user logon prior to performing functions and services.

DISA Rule

SV-18865r2_rule

Vulnerability Number

V-17691

Group Title

RTS-VTC 2028

Rule Version

RTS-VTC 2028.00

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the classified videoconferencing system to authenticate with a unique user logon prior to performing functions and services. Additionally, configure the video endpoint with the following:
- Configure unique (non-default/non-shared) IDs for each privileged and user account, to include an administrator test account. Note this is best accomplished using a central user management system, such as RADIUS or TACACS+. Authentication must meet current DoD requirements and may implement username/password or multifactor authentication (DoD PKI token preferred).
- Configure video endpoints to require unique user identities to authenticate at first logon and when unlocking.
- Configure video endpoints to automatically lock after 15 minutes of inactivity.
- Configure video endpoints to display incoming call notifications while locked (a unique ID is required to activate the video endpoint and answer the call).

Check Contents

Review site documentation to confirm the classified videoconferencing system authenticates using a unique user logon prior to performing functions and services. The video endpoint must not be capable of placing or answering a call unless it is unlocked by a user logon. Additionally, ensure the video endpoint configuration settings are as follows:
- Unique (non-default/non-shared) IDs for each privileged and user account, to include an administrator test account. Note this is best accomplished using a central user management system, such as RADIUS or TACACS+. Authentication must meet current DoD requirements and may implement username/password or multifactor authentication (DoD PKI token preferred).
- Video endpoints to require unique user identities to authenticate at first logon and when unlocking.
- Video endpoints to automatically lock after 15 minutes of inactivity.
- Video endpoints to display incoming call notifications while locked (a unique ID is required to activate the video endpoint and answer the call).

If the classified videoconferencing system is not configured as above, this is a finding. If the classified videoconferencing system does not authenticate using a unique user logon prior to performing functions and services, this is a finding.

Vulnerability Number

V-17691

Documentable

False

Rule Version

RTS-VTC 2028.00

Severity Override Guidance

Review site documentation to confirm the classified videoconferencing system authenticates using a unique user logon prior to performing functions and services. The video endpoint must not be capable of placing or answering a call unless it is unlocked by a user logon. Additionally, ensure the video endpoint configuration settings are as follows:
- Unique (non-default/non-shared) IDs for each privileged and user account, to include an administrator test account. Note this is best accomplished using a central user management system, such as RADIUS or TACACS+. Authentication must meet current DoD requirements and may implement username/password or multifactor authentication (DoD PKI token preferred).
- Video endpoints to require unique user identities to authenticate at first logon and when unlocking.
- Video endpoints to automatically lock after 15 minutes of inactivity.
- Video endpoints to display incoming call notifications while locked (a unique ID is required to activate the video endpoint and answer the call).

If the classified videoconferencing system is not configured as above, this is a finding. If the classified videoconferencing system does not authenticate using a unique user logon prior to performing functions and services, this is a finding.

Check Content Reference

M

Responsibility

Other

Target Key

1418

Comments