STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.

DISA Rule

SV-222432r508029_rule

Vulnerability Number

V-222432

Group Title

SRG-APP-000065

Rule Version

APSC-DV-000530

Severity

CAT I

CCI(s)

• CCI-000044 - The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Weight

10

Fix Recommendation

Configure the application to enforce an account lock after 3 failed logon attempts occurring within a 15-minute window.

Check Contents

All testing must be performed within a 15-minute window.

Log on to the application with a test user account.

Intentionally enter an incorrect user password or pin.

Repeat 2 times within 15 minutes for a total of three failed attempts.

Notification of a locked account may or may not be provided.

Using the correct user password or pin, attempt to logon a 4th time.

If the logon is successful upon the 4th attempt the account was not locked after the third failed attempt and this is a finding.

Vulnerability Number

V-222432

Documentable

False

Rule Version

APSC-DV-000530

Severity Override Guidance

All testing must be performed within a 15-minute window.

Log on to the application with a test user account.

Intentionally enter an incorrect user password or pin.

Repeat 2 times within 15 minutes for a total of three failed attempts.

Notification of a locked account may or may not be provided.

Using the correct user password or pin, attempt to logon a 4th time.

If the logon is successful upon the 4th attempt the account was not locked after the third failed attempt and this is a finding.

Check Content Reference

M

Target Key

4093

Comments