STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Unnecessary application accounts must be disabled, or deleted.

DISA Rule

SV-222412r508029_rule

Vulnerability Number

V-222412

Group Title

SRG-APP-000025

Rule Version

APSC-DV-000330

Severity

CAT II

CCI(s)

• CCI-000017 - The information system automatically disables inactive accounts after an organization-defined time period.

Weight

10

Fix Recommendation

Design the application so unessential user accounts are not created during installation. Disable or delete all unnecessary application user accounts.

Check Contents

Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement.

Have the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers.

Have the application administrator identify and validate all user accounts.

If any accounts cannot be validated and are deemed to be unnecessary, this is a finding.

Vulnerability Number

V-222412

Documentable

False

Rule Version

APSC-DV-000330

Severity Override Guidance

Review the system documentation and identify any valid application accounts that are required in order for the application to operate. Accounts the application itself uses in order to function are not in scope for this requirement.

Have the application administrator generate a list of all application users. This should include relevant user metadata such as phone numbers or department identifiers.

Have the application administrator identify and validate all user accounts.

If any accounts cannot be validated and are deemed to be unnecessary, this is a finding.

Check Content Reference

M

Target Key

4093

Comments