1.9 Ensure Days of non-use before lock-out is set to 30

Information

Days of non-use before lock-out. The number of days in which a user has not (successfully) logged in before that user is locked out. This only takes effect if Deny access to unused accounts is selected.

Rationale:

User accounts that have been unused for over a given period of time can be automatically disabled. It is recommended that accounts that are unused for 30 days should be disabled. Unused accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

Solution

Run the following command to set the deny-on-nonuse allowed-days setting.
CLI:

Hostname>set password-controls deny-on-nonuse allowed-days 30

GUI:

Navigate to User Management > Password Policy > Deny access to unused accounts:
Set 'Days of non-use before lock-out' to 30 or less.

Note: This setting only takes effect if 'Deny access to unused accounts' is enabled.

Default Value:

365

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2f.

Plugin: CheckPoint

Control ID: 55fc5360e3f79bb85f922159430b7ecbeac1b50afd880232651942ae9d49fd54