Title

The VPN Gateway must notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). (Cat III impact)

Discussion

Users need to be aware of activity that occurs regarding their account. Providing users with information deemed important by the organization may aid in the discovery of unauthorized access or thwart a potential attacker. Organizations should consider the risks to the specific information system being accessed and the threats presented by the device to the environment when configuring this option. An excessive or unnecessary amount of information presented to the user at logon is not recommended. This requirement applies to VPN gateways that have the concept of a user account and have the login function residing on the VPN gateway.

Check Content

Verity the VPN Gateway notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access). If the VPN Gateway does not notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access), this is a finding.

Fix Text

Configure the VPN Gateway to notify the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).

Additional Identifiers

Rule ID: SV-207232r856704_rule

Vulnerability ID: V-207232

Group Title: SRG-NET-000330

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.