Detections
Analytics

800-53|IA-5

Title

AUTHENTICATOR MANAGEMENT

Description

The organization manages information system authenticators by:

Supplemental

Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.

Reference Item Details

Related: AC-2,AC-3,AC-6,CM-6,IA-2,IA-4,IA-8,PL-4,PS-5,PS-6,SC-12,SC-13,SC-17,SC-28

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1 Ensure Minimum Password Length is set to 14 or higherCheckPointCIS Check Point Firewall L1 v1.1.0
1.1.1 - /etc/security/user - 'mindiff >= 4'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.1 Ensure 'Logon Password' is setCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.1.4 Set 'Minimum password length' to '14 or more character(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.5 Set 'Enforce password history' to '24 or more password(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.6 Set 'Password must meet complexity requirements' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.7 Set 'Store passwords using reversible encryption' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.8 Set 'Minimum password age' to '1 or more day(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.1.9 Set 'Maximum password age' to '60 or fewer days'WindowsCIS Windows 8 L1 v1.0.0
1.1.2 - /etc/security/user - 'minage >= 1'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
1.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.3 - /etc/security/user - 'maxage <= 13' but not 0UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.3 - AirWatch - Disallow Simple PasscodeMDMAirWatch - CIS Apple iOS 9 v1.0.0 L2
1.1.3 - AirWatch - Disallow Simple PasscodeMDMAirWatch - CIS Apple iOS 8 v1.0.0 L2
1.1.3 - AirWatch - Enable 'Require alphanumeric value'MDMAirWatch - CIS Google Android 4 v1.0.0 L1
1.1.3 - MobileIron - Disallow Simple PasscodeMDMMobileIron - CIS Apple iOS 9 v1.0.0 L2
1.1.3 - MobileIron - Disallow Simple PasscodeMDMMobileIron - CIS Apple iOS 8 v1.0.0 L2
1.1.3 - MobileIron - Enable 'Require alphanumeric value'MDMMobileIron - CIS Google Android 4 v1.0.0 L1
1.1.3.1.6 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.5.4 Set 'Domain member: Maximum machine account password age' to '30 or fewer day(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.6.3 Configure 'Interactive logon: Require smart card'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.6.5 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '4 or fewer logon(s)'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.10.6 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.10.11 Configure 'Network access: Do not allow storage of passwords and credentials for network authentication'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.1 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.5 'Network Security: Restrict NTLM: NTLM authentication in this domain'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.11 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.13 Configure 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.16 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.14.1 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.17.2 Set 'User Account Control: Detect application installations and prompt for elevation' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.17.6 Set 'User Account Control: Virtualize file and registry write failures to per-user locations' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.17.10 Set 'User Account Control: Run all administrators in Admin Approval Mode' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.4 - /etc/security/user - 'minlen = 8'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.5 - /etc/security/user - 'minalpha >= 2'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.6 - /etc/security/user - 'minother >= 2'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.7 - /etc/security/user - 'maxrepeats <= 2'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.10 - /etc/security/user - 'maxexpired <= 2'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.1.11 - /etc/security/login.cfg - 'pwd_algorithm = ssha256 (AIX 5.3 TL7+ only)'UnixCIS AIX 5.3/6.1 L2 v1.1.0
1.1.20 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.23 Ensure that the --service-account-lookup argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.23 Ensure that the --service-account-lookup argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.25 Ensure that the --service-account-key-file argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-fileUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-fileUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-fileUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-fileUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-fileUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-fileUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1