STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application administrator must follow an approved process to unlock locked user accounts.

DISA Rule

SV-222433r508029_rule

Vulnerability Number

V-222433

Group Title

SRG-APP-000345

Rule Version

APSC-DV-000540

Severity

CAT II

CCI(s)

CCI-002238 - The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Weight

Fix Recommendation

Create a standard approved process for unlocking locked application accounts which includes validating user identity prior to unlocking the account.

Use that process when unlocking application user accounts.

Check Contents

Interview the application administrator and identify the approved process for unlocking user accounts.

The process may involve a manual or automated reset after the locked out user has identified themselves using standard user identification processes outlined in the vulnerability discussion.

If the admin does not unlock the account following the approved process, and if the process does not have documented ISSO and ISSM approvals, this is a finding.

The application administrator must follow an approved process to unlock locked user accounts.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments