Check: APSC-DV-000330
Application Security and Development STIG:
APSC-DV-000330
(in versions v5 r3 through v4 r2)
Title
Unnecessary application accounts must be disabled, or deleted. (Cat II impact)
Discussion
Test or demonstration accounts are sometimes created during the application installation process. This creates a security risk as these accounts often remain after the initial installation process and can be used to gain unauthorized access to the application. Applications must be designed and configured to disable or delete any unnecessary accounts that may be created. Care must be taken to ensure valid accounts used for valid application operations are not disabled or deleted when this requirement is applied.
Check Content
Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement. Have the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers. Have the application administrator identify and validate all user accounts. If any accounts cannot be validated and are deemed to be unnecessary, this is a finding.
Fix Text
Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts.
Additional Identifiers
Rule ID: SV-222412r879524_rule
Vulnerability ID: V-222412
Group Title: SRG-APP-000025
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000017 |
The information system automatically disables inactive accounts after an organization-defined time period. |
Controls
Number | Title |
---|---|
AC-2 (3) |
Disable Inactive Accounts |