The network device must terminate shared/group account credentials when members leave the group.

An XCCDF Rule

Description

<VulnDiscussion>A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-90941r1_rule
Severity: Medium
References: CCI-002142
Updated: about 1 year ago

Establish and document a procedure that requires the changing of the account of last resort and root account password when users with knowledge of the password leave the group. To change the password:

1. Log on to CounterACT's Administrator UI.
2. From the menu, select Tools >> Options >> User Console and Options >> Password and Login.
3. Enter a new password.
Note: Use of a cryptographically generated password is recommended. Password must be stored in a locked safe and used only when necessary since individual accounts are required to be used to ensure non-repudiation.

The network device must terminate shared/group account credentials when members leave the group.

Description

Remediation - Manual Procedure