STIGQter: STIG Summary: Network Device Management Security Requirements Guide Version: 4 Release: 1 Benchmark Date: 23 Apr 2021:

The network device must only store cryptographic representations of passwords.

DISA Rule

SV-202064r539621_rule

Vulnerability Number

V-202064

Group Title

SRG-APP-000171

Rule Version

SRG-APP-000171-NDM-000258

Severity

CAT I

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Configure the network device, and any associated authentication servers, to store all passwords using cryptographic representations.

Configure all associated databases, configuration files, and log files to use only encrypted representations of passwords, and that no password strings are readable/discernable.

Potential locations include the local file system where configurations and events are stored, or in a network device-related database table.

Check Contents

Review the network device’s files using a text editor or a database tool that allows viewing data stored in database tables. Determine if password strings are readable/discernable.

Determine if the network device, and any associated authentication servers, enforce only storing cryptographic representations of passwords. Verify that databases, configuration files, and log files have encrypted representations of all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device related database table. Also identify if the network device uses the MD5 hashing algorithm to create password hashes.

If the network device, or any associated authentication servers, stores unencrypted (clear text) representations of passwords, this is a finding.

If the network device uses MD5 hashing algorithm to create password hashes, this is a finding.

Vulnerability Number

V-202064

Documentable

False

Rule Version

SRG-APP-000171-NDM-000258

Severity Override Guidance

Review the network device’s files using a text editor or a database tool that allows viewing data stored in database tables. Determine if password strings are readable/discernable.

Determine if the network device, and any associated authentication servers, enforce only storing cryptographic representations of passwords. Verify that databases, configuration files, and log files have encrypted representations of all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a network device related database table. Also identify if the network device uses the MD5 hashing algorithm to create password hashes.

If the network device, or any associated authentication servers, stores unencrypted (clear text) representations of passwords, this is a finding.

If the network device uses MD5 hashing algorithm to create password hashes, this is a finding.

Check Content Reference

M

Target Key

2890

Comments