Check: CISR-ND-000015
Cisco IOS XE Release 3 NDM STIG:
CISR-ND-000015
(in version v1 r5)
Title
The Cisco IOS XE router must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. (Cat II impact)
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced.
Check Content
Review the Cisco router configuration to verify that it enforces the limit of three consecutive invalid logon attempts within a fifteen-minute period as shown in the example below. login block-for 600 attempts 3 within 900 Note: The configuration example above will block any logon attempt for 10 minutes after three consecutive invalid logon attempts. If the Cisco router is not configured to enforce the limit of three consecutive invalid logon attempts within a fifteen-minute period, this is a finding.
Fix Text
Configure the Cisco router to enforce the limit of three consecutive invalid logon attempts within a fifteen-minute period as shown in the example below. login block-for 600 attempts 3 within 900
Additional Identifiers
Rule ID: SV-88647r3_rule
Vulnerability ID: V-73973
Group Title: SRG-APP-000065-NDM-000214
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000044 |
The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
Controls
Number | Title |
---|---|
AC-7 |
Unsuccessful Logon Attempts |