JUEX-NM-000910 - The Juniper EX switch must change credentials for account of last resort when administrators who know the credential leave the organization.

Information

A shared/group account credential is a shared form of authentication that allows multiple individuals to access the network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. There may also be instances when specific user actions need to be performed on the network device without unique administrator identification or authentication. Examples of credentials include passwords and group membership certificates.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Document this process in the SSP. Change the account of last resort to a new password when administrators who know the credential leave the organization

Set the password for the account of last resort:
set system login user <account of last resort name> authentication plain-text-password
New password: <password - not echoed to the screen>
Retype new password: <password verification - not echoed to the screen>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Juniper_EX_Switches_Y24M07_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(5), CAT|II, CCI|CCI-004045, Rule-ID|SV-253946r1001015_rule, STIG-ID|JUEX-NM-000910, Vuln-ID|V-253946

Plugin: Juniper

Control ID: 528ecfe72b3f292be30d0329df8e742198f74443991e24c0566e0677b670395b