ISEC7 SPHERE must disable or delete local account created during application installation and configuration.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-224767 | ISEC-06-000660 | SV-224767r1013815_rule | High |
| Description |
| The ISEC7 local account password complexity controls do not meet DOD requirements; therefore, admins have the capability to configure the account out of compliance, which could allow attacker to gain unauthorized access to the server and access to command MDM servers. |
| STIG | Date |
| ISEC7 Sphere Security Technical Implementation Guide | 2024-08-20 |
Details
| Check Text (C-26458r1013813_chk) |
| Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Account Management >> Users. Select "Edit" next to the local account Admin. Verify "Log in disabled" has been selected. If "Log in disabled" has not been selected, this is a finding. |
| Fix Text (F-26446r1013814_fix) |
| Log in to the ISEC7 SPHERE console. Navigate to Administration >> Configuration >> Account Management >> Users. Select "Edit" next to the local account Admin. Check "Log in disabled" for the account. Click "Save". |