Title

The password for the local account of last resort and the device password (if configured) must be changed when members who had access to the password leave the role and are no longer authorized access. (Cat II impact)

Discussion

If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account.

Check Content

Have the local representative show password change logs or documentation to show this is a local process. If the password for the local account of last resort is not changed when members who had access to the password leave the role and are no longer authorized access, this is a finding.

Fix Text

Change the password for the account of last resort. 1. Navigate to Admin >> Authentication and Authorization >> Users. 2. Select the account of last resort. 3. Click Edit and Select Authentication. 4. Enter and confirm the password. To change the password for managed devices, if configured: Navigate to Devices >> All Devices >> Member Summary >> Device Users. The Device User Accounts screen displays a table that lists the user accounts available on managed devices.

Additional Identifiers

Rule ID: SV-242260r1018794_rule

Vulnerability ID: V-242260

Group Title: SRG-APP-000317-NDM-000282

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.