Title

The Riverbed NetIM must be configured to require immediate selection of a new password upon account recovery for password-based authentication. (Cat III impact)

Discussion

Specify a temporary password to improve security. A temporary password can be enabled only if Account Control is enabled. If a temporary password is set, then the password set by Admin/Sys Admin for the new user shall expire on the first log in of the new user. A password expired page will appear for new users after the first login.

Check Content

Verify Password Rules is configured to expire temporary passwords. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. View the Maximum age of temporary password in hours. If the Maximum age of temporary password in hours is not set, this is a finding.

Fix Text

Configure Password Rules to expire temporary passwords. 1. From the GUI, navigate to Configuration >> Configure >> All Settings >> Administer. 2. On the User Management screen, select "Password Rules". 3. Check "Maximum age of temporary password in hours". 4. Enter an organization-defined number in the option box and click "Submit". Local users must not be created; however, setting these requirements is a best practice.

Additional Identifiers

Rule ID: SV-275466r1147448_rule

Vulnerability ID: V-275466

Group Title: SRG-APP-000080-NDM-000220

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.