Title

Default passwords and user names have not been changed. (Cat I impact)

Discussion

Requirement: The IAO will ensure that all system default passwords and user names are changed prior to connection to the DSN. Systems not protected with strong password schemes provide the opportunity for anyone to crack the password, gain access to the system, and cause information damage, or denial of service. Default user accounts and passwords must be changed prior to any user connection to a DSN system. This will prevent commonly known and used user accounts from being used by unauthorized users.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix Text

Delete / change default accts and passwords - Check the component or system for default vendor accounts and passwords. If possible, delete or rename the account and change the default password.

Additional Identifiers

Rule ID: SV-8443r1_rule

Vulnerability ID: V-7957

Group Title: Default accounts and passwords still exist

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.