Check: ENS-CO-000116
Trellix ENS 10.x STIG:
ENS-CO-000116
(in versions v3 r2 through v2 r7)
Title
(CUI) The ENS user interface admin password must be, at minimum, 15-characters in length. (Cat II impact)
Discussion
(U) The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations where a user ID and password might be used include but are not limited to: - When the application user does not have a CAC and is not a current DOD employee, member of the military, or a DOD contractor. - When an application user has been officially designated as a Temporary Exception User; one who is temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. - When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Check Content
(CUI) This is a manual procedure to verify password complexity rules are being used when the ENS user interface (UI) password is generated. The password, at a minimum, must be 15 characters in length. Query the ESS admin on the password complexity used for the ENS UI. If a password being used is not a minimum of at least 15 characters in length, this is a finding.
Fix Text
(CUI) Develop and enforce a password complexity procedure for the ENS UI admin password.
Additional Identifiers
Rule ID: SV-256068r1022745_rule
Vulnerability ID: V-256068
Group Title: SRG-APP-000164
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000205 |
The information system enforces minimum password length. |
CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
Controls
Number | Title |
---|---|
IA-5(1) |
Password-based Authentication |