STIGQter: STIG Summary: Cisco IOS XE Router NDM Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must lock out the user account from accessing the device for 15 minutes.

DISA Rule

SV-215813r531083_rule

Vulnerability Number

V-215813

Group Title

SRG-APP-000065-NDM-000214

Rule Version

CISC-ND-000150

Severity

CAT II

CCI(s)

• CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Weight

10

Fix Recommendation

Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts as shown in the example below.

R2(config)#login block-for 900 attempts 3 within 120

Check Contents

Review the Cisco router configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below.

login block-for 900 attempts 3 within 120

Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.

If the Cisco router is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.

Vulnerability Number

V-215813

Documentable

False

Rule Version

CISC-ND-000150

Severity Override Guidance

Review the Cisco router configuration to verify that it enforces the limit of three consecutive invalid logon attempts as shown in the example below.

login block-for 900 attempts 3 within 120

Note: The configuration example above will block any login attempt for 15 minutes after three consecutive invalid logon attempts within a two-minute period.

If the Cisco router is not configured to enforce the limit of three consecutive invalid logon attempts, this is a finding.

Check Content Reference

M

Target Key

4020

Comments