Title: The DBMS must automatically terminate emergency accounts after an organization defined time period for each type of account.
Vulnerability ID: V-32537
IA Controls: None
Description: Emergency application accounts are typically created due to an unforeseen operational event or could ostensibly be used in the event of a vendor support visit where a support representative requires a temporary unique account in order to perform diagnostic testing or conduct some other support related activity. When these types of accounts are created, there is a risk that the temporary account may remain in place and active after the support representative has left.
In the event emergency application accounts are required, the application must ensure accounts that are designated as temporary in nature shall automatically terminate these accounts after an organization defined time period. Such a process and capability greatly reduces the risk that accounts will be misused, hijacked, or application data compromised.
To address the multitude of policy based access requirements, many application developers choose to integrate their applications with enterprise level authentication/access mechanisms that meet or exceed access control policy requirements. This type of integration allows the application developer to off-load those access control functions and focus on core application features and functionality.
Examples of enterprise level authentication/access mechanisms include, but are not limited to, Active Directory and LDAP.
The application must provide or utilize a mechanism to automatically terminate accounts that have been designated as temporary or emergency accounts after an organization defined time period.
Emergency database accounts must be automatically terminated after an organization defined time period in order to mitigate the risk of the account being misused.
Check Text: Check DBMS settings, OS settings, and/or enterprise level authentication/access mechanisms settings to determine if emergency accounts are being automatically terminated by the system after an organization defined time period. If emergency accounts are not being terminated after an organization defined time period, this is a finding.
Fix Text: Configure DBMS, OS, and/or enterprise level authentication/access mechanisms to terminate emergency accounts after an organization defined time period.[divider]