STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must provide automated mechanisms for supporting account management functions.

DISA Rule

SV-222407r508029_rule

Vulnerability Number

V-222407

Group Title

SRG-APP-000023

Rule Version

APSC-DV-000280

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Use automated processes and mechanisms for account management functions.

Check Contents

Review the application documentation and interview the application administrator.

Identify the account management methods, processes and procedures that are used.

If the application is utilizing a centralized authentication mechanism such as Active Directory or LDAP, verify all user account activity is conducted via that solution and no local user accounts that circumvent the automated solution are used.

Determine if automated mechanisms are used when managing application user accounts and taking management action on application user accounts. Automated methods include but are not limited to:

Taking action on accounts that have been determined to be inactive, suspended, terminated, or disabled.

Automated action examples include: deleting such accounts, reactivating accounts in conjunction with a validation or verification process, or sending notifications or reminders to the account holders that their account is about to be disabled or deleted.

Verify the action that is taken is automated and repeatable.

If the account management process is manual in nature, this is a finding.

Vulnerability Number

V-222407

Documentable

False

Rule Version

APSC-DV-000280

Severity Override Guidance

Review the application documentation and interview the application administrator.

Identify the account management methods, processes and procedures that are used.

If the application is utilizing a centralized authentication mechanism such as Active Directory or LDAP, verify all user account activity is conducted via that solution and no local user accounts that circumvent the automated solution are used.

Determine if automated mechanisms are used when managing application user accounts and taking management action on application user accounts. Automated methods include but are not limited to:

Taking action on accounts that have been determined to be inactive, suspended, terminated, or disabled.

Automated action examples include: deleting such accounts, reactivating accounts in conjunction with a validation or verification process, or sending notifications or reminders to the account holders that their account is about to be disabled or deleted.

Verify the action that is taken is automated and repeatable.

If the account management process is manual in nature, this is a finding.

Check Content Reference

M

Target Key

4093

Comments