STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must allow the use of a temporary password for system logons with an immediate change to a permanent password.

DISA Rule

SV-222547r508029_rule

Vulnerability Number

V-222547

Group Title

SRG-APP-000397

Rule Version

APSC-DV-001790

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to specify when a password is temporary and change the temporary password on the first use.

Check Contents

Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.

If the application does not use passwords, the requirement is not applicable.

Access the application management interface and view the user password settings page.

Review user password settings and validate the application is configured to specify when a password is temporary and force a password change when the administrator either creates a new user account or changes a user’s password.

If the application can not specify a password as temporary and force the user to change the temporary password upon successful authentication, this is a finding.

Vulnerability Number

V-222547

Documentable

False

Rule Version

APSC-DV-001790

Severity Override Guidance

Review the application documentation and interview the application administrator to identify if the application uses passwords for user authentication.

If the application does not use passwords, the requirement is not applicable.

Access the application management interface and view the user password settings page.

Review user password settings and validate the application is configured to specify when a password is temporary and force a password change when the administrator either creates a new user account or changes a user’s password.

If the application can not specify a password as temporary and force the user to change the temporary password upon successful authentication, this is a finding.

Check Content Reference

M

Target Key

4093

Comments