From Network Device Management Security Requirements Guide
Part of SRG-APP-000163-NDM-000251
Associated with: CCI-000795
Inactive identifiers pose a risk to network devices. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the device. Owners of inactive accounts may not notice if unauthorized access to their account has been obtained.
Determine if the network device disables identifiers after 35 days of inactivity for all local identifiers except for the account of last resort or root account. For non-local accounts, verify that the device is configured to use an authentication server. If the network device does not have the capability to automatically disable or remove identifiers after 35 days of inactivity, this is a finding.
Configure the network device or its associated authentication server to disable identifiers after 35 days of inactivity. For remote logon using the authentication server, configure this capability on the authentication server. Disable or remove unauthorized local identifiers, except for the account of last resort and the root account.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer