Skip to content
Log In

CCI-004061

For password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

1 rule found Severity: Medium

Logo

The DNS server implementation must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

The PASSWORD History Count value must be set to 10 or greater.

1 rule found Severity: Medium

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

The Ivanti EPMM server must prohibit password reuse for a minimum of four generations.

1 rule found Severity: Medium

Logo

The Jamf Pro EMM local accounts must prohibit password reuse for a minimum of five generations.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

1 rule found Severity: High

Logo

MKE must be configured to integrate with an Enterprise Identity Provider.

1 rule found Severity: Medium

Logo

The password history must be configured to 24 passwords remembered.

2 rules found Severity: Medium

Logo

The network device must be configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a) for password-based authentication.

1 rule found Severity: Medium

Logo

Splunk Enterprise must prohibit password reuse for a minimum of five generations for the account of last resort.

1 rule found Severity: Low

Logo

Splunk Enterprise must be configured to prohibit password reuse for a minimum of five generations.

1 rule found Severity: Low

Logo

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

1 rule found Severity: High

Logo

The use of a Solidcore 8.x local Command Line Interface (CLI) Access Password must be documented in the organizations written policy.

1 rule found Severity: Medium

Logo

The web server must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

For password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must be configured to enforce a passcode reuse prohibition of at least two generations.

1 rule found Severity: High

Logo

The application must prohibit password reuse for a minimum of five generations.

1 rule found Severity: Medium

Logo

The Central Log Server must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

The container platform must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

The DBMS must, for password-based authentication, verify that when users create or update passwords, the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must not have any default manufacturer passwords when deployed.

1 rule found Severity: Medium

Logo

Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

1 rule found Severity: Medium

Logo

The HYCU virtual appliance must not have any default manufacturer passwords when deployed.

1 rule found Severity: Medium

Logo

The operating system must, for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

CA-ACF2 must prevent the use of dictionary words for passwords.

1 rule found Severity: Medium

Logo

ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.

1 rule found Severity: Medium

Logo

The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to five or more.

1 rule found Severity: Medium

Logo

The CA-TSS NEWPW control options must be properly set.

1 rule found Severity: Medium

Logo

The CA-TSS PWHIST Control Option must be set to 10 or greater.

1 rule found Severity: Medium

Logo

The CA-TSS PPHIST Control Option must be properly set.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

1 rule found Severity: Medium

Logo

The Mainframe Product must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).

1 rule found Severity: Medium

Logo

Windows Server 2019 password history must be configured to 24 passwords remembered.

1 rule found Severity: Medium

Logo

Windows Server 2022 password history must be configured to 24 passwords remembered.

1 rule found Severity: Medium

Logo

The DBMS must support organizational requirements to prohibit password reuse for the organization-defined number of generations.

1 rule found Severity: Medium

Logo

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.

1 rule found Severity: Medium

Logo

OpenShift must use FIPS validated LDAP or OpenIDConnect.

1 rule found Severity: High

Logo

The UEM server must prohibit password reuse for a minimum of five generations.

1 rule found Severity: Medium

Logo

The VMM must for password-based authentication, verify when users create or update passwords the passwords are not found on the list of commonly-used, expected, or compromised passwords in ia-5 (1) (a).

1 rule found Severity: Medium

Logo

The ESXi host must prohibit password reuse for a minimum of five generations.

1 rule found Severity: Medium

Logo

The vCenter Server must prohibit password reuse for a minimum of five generations.

1 rule found Severity: Medium

Logo

The Photon operating system must prohibit password reuse for a minimum of five generations.

1 rule found Severity: Medium

Logo

The Photon operating system must be configured to use the pam_pwhistory.so module.

1 rule found Severity: Medium

Logo

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High

Logo