Check: APCG-00-000015
AvePoint Compliance Guardian STIG:
APCG-00-000015
(in version v1 r1)
Title
Compliance Guardian must provide automated mechanisms for supporting account management functions. (Cat II impact)
Discussion
Remote access (e.g., Remote Desktop Protocol [RDP]) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include dial-up, broadband, and wireless. Satisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000065, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000171, SRG-APP-000173, SRG-APP-000174, SRG-APP-000190, SRG-APP-000234, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000295, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000345, SRG-APP-000397, SRG-APP-000401, SRG-APP-000503, SRG-APP-000505, SRG-APP-000506, SRG-APP-000509
Check Content
Compliance Guardian supports integration with Active Directory (AD) for automated account management. Check the Compliance Guardian configuration to ensure AD Integration is enabled. - Log on to Compliance Guardian with admin account. - On the Control Panel page in the General Security section, click "Authentication Manager". - Navigate to "AD Integration". - Verify that the "AD Integration" option is enabled. If the AD Integration option is not enabled, this is a finding.
Fix Text
Configure the Compliance Guardian configuration to ensure AD Integration is enabled. - Log on to Compliance Guardian with admin account. - On the Control Panel page in the Authentication Manager section, click "Authentication Manager". - Navigate to "AD Integration". - Set the Action of "AD Integration" to "Enable". - Save settings. Add AD user or group to Compliance Guardian by Account Manager; realize automated mechanisms through AD account management functions.
Additional Identifiers
Rule ID: SV-256842r890136_rule
Vulnerability ID: V-256842
Group Title: SRG-APP-000023
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
| CCI-000017 |
The information system automatically disables inactive accounts after an organization-defined time period. |
| CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| CCI-000192 |
The information system enforces password complexity by the minimum number of upper case characters used. |
| CCI-000193 |
The information system enforces password complexity by the minimum number of lower case characters used. |
| CCI-000194 |
The information system enforces password complexity by the minimum number of numeric characters used. |
| CCI-000195 |
The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed. |
| CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
| CCI-000198 |
The information system enforces minimum password lifetime restrictions. |
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
| CCI-000200 |
The information system prohibits password reuse for the organization-defined number of generations. |
| CCI-000205 |
The information system enforces minimum password length. |
| CCI-000795 |
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity. |
| CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |
| CCI-001619 |
The information system enforces password complexity by the minimum number of special characters used. |
| CCI-001682 |
The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account. |
| CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
| CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
| CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
| CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
| CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-002041 |
The information system allows the use of a temporary password for system logons with an immediate change to a permanent password. |
| CCI-002130 |
The information system automatically audits account enabling actions. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
| CCI-002145 |
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts. |
| CCI-002238 |
The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded. |
| CCI-002361 |
The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect. |
Controls
| Number | Title |
|---|---|
| AC-2 (1) |
Automated System Account Management |
| AC-2 (2) |
Removal Of Temporary / Emergency Accounts |
| AC-2 (3) |
Disable Inactive Accounts |
| AC-2 (4) |
Automated Audit Actions |
| AC-2 (11) |
Usage Conditions |
| AC-7 |
Unsuccessful Logon Attempts |
| AC-12 |
Session Termination |
| AU-12 |
Audit Generation |
| IA-4 |
Identifier Management |
| IA-5 (1) |
Password-Based Authentication |
| IA-5 (2) |
Pki-Based Authentication |
| SC-10 |
Network Disconnect |