Check: SRG-APP-000317-NDM-000282
Network Device Management SRG:
SRG-APP-000317-NDM-000282
(in versions v4 r3 through v2 r7)
Title
The network device must terminate shared/group account credentials when members leave the group. (Cat II impact)
Discussion
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates.
Check Content
Determine if the network device terminates shared/group account credentials when members leave the group. This requirement may be verified by demonstration, configuration review, or validated test results. This requirement may be met through use of a properly configured authentication server if the device is configured to use the authentication server. This requirement is not applicable if the device does not support shared/group credentials. If the network device does not terminate shared/group credentials when members leave the group, this is a finding.
Fix Text
Configure the network device to terminate shared/group account credentials when members leave the group.
Additional Identifiers
Rule ID: SV-202087r879694_rule
Vulnerability ID: V-202087
Group Title: SRG-APP-000317
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002142 |
The information system terminates shared/group account credentials when members leave the group. |
Controls
Number | Title |
---|---|
AC-2 (10) |
Shared / Group Account Credential Termination |