From Application Security and Development Security Technical Implementation Guide
Part of SRG-APP-000024
Associated with: CCI-000016
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
If official documentation exist that disallows the use of temporary user accounts within the application, this requirement is not applicable. Examine the application documentation or interview the application representative to identify how the application users are managed. Navigate to the screen where user accounts are configured. Create a test account and determine if there is a setting to specify the user account as being temporary in nature. Determine if there is an available setting to expire the account after a period of time. If the application has no ability to specify a user account as being temporary in nature, or if the account has no ability to automatically disable or remove the account after 72 hours after account creation, this is a finding.
Configure temporary accounts to be automatically removed or disabled after 72 hours after account creation.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer