The Bromium Enterprise Controller (BEC) must change the password for the Account of Last Resort when an individual with knowledge of the password leaves the group.

From Bromium Secure Platform 4.x Security Technical Implementation Guide

Part of SRG-APP-000317

Associated with: CCI-002142

SV-95147r1_rule The Bromium Enterprise Controller (BEC) must change the password for the Account of Last Resort when an individual with knowledge of the password leaves the group.

Vulnerability discussion

If shared/group account credentials are not terminated when individuals leave the group, the user who left the group can still gain access even though they are no longer authorized. A shared/group account credential is a shared form of authentication that allows multiple individuals to access the application using a single account. There may also be instances when specific user actions need to be performed on the information system without unique user identification or authentication. Examples of credentials include passwords and group membership certificates.Note: Other passwords that should be considered for rotation or changes include the password to decrypt the malware manifest and the service account used to connect BEC to SQL Server.-Note: If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice, there is no need to rotate this password.  Note: If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice, there is no need to rotate this password.

Check content

If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice (BROM-00-000300), this is not a finding. Examine the site's documentation. Verify there is a documented procedure for changing the password for the Account of Last Resort when an individual with knowledge of the password leaves the group. An acceptable practice is to either create a new account and password each time or change the password. If a procedure for changing the password for the Account of Last Resort when an individual with knowledge of the password leaves the group is not documented or implemented, this is a finding.

Fix text

Modify the password for the Account of Last Resort. 1. Using the management console, navigate to "Settings". 2. Select "Users". 3. Click on the local account name representing the Account of Last Resort. 4. In the "Edit User" section, enter and confirm the new password. 5. Click "Save Settings". If the Account of Last Resort has been removed after installation and configuration per vendor-recommended best practice (BROM-00-000300), either create a new account and password or change the password.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer