An error occurred:

Check: ENS-CO-000116

Trellix ENS 10.x STIG: ENS-CO-000116 (in versions v2 r14 through v2 r7)

Title

(CUI) The ENS user interface admin password must be at minimum 15-characters in length. (Cat II impact)

Discussion

(U) The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of passwords for application authentication is intended only for limited situations and should not be used as a replacement for two-factor CAC-enabled authentication. Examples of situations where a user ID and password might be used include but are not limited to: - When the application user does not have a CAC and is not a current DoD employee, member of the military, or a DoD contractor. - When an application user has been officially designated as a Temporary Exception User; one who is temporarily unable to present a CAC for some reason (lost, damaged, not yet issued, broken card reader) and to satisfy urgent organizational needs must be temporarily permitted to use user ID/password authentication until the problem with CAC use has been remedied. and - When the application is publicly available and or hosting publicly releasable data requiring some degree of need-to-know protection. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Check Content

(CUI) This is a manual procedure to verify password complexity rules are being used when the ENS user interface (UI) password is generated. The password, at a minimum, must be 15 characters in length. Query the ESS admin on the password complexity used for the ENS UI. If a password being used is not a minimum of at least 15 characters in length, this is a finding.

Fix Text

(CUI) Develop and enforce a password complexity procedure for the ENS UI admin password.

Additional Identifiers

Rule ID: SV-256068r882563_rule

Vulnerability ID: V-256068

Group Title: SRG-APP-000164

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000205

The information system enforces minimum password length.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-5 (1)

Password-Based Authentication