STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-2 (2) — Account Management

CCI-001682

Definition

Automatically remove or disable emergency accounts after an organization-defined time period for each type of account.

Parent Control

AC-2 (2)Account ManagementAccess Control

Linked STIG Checks (60)

V-204680CAT IIAAA Services must be configured to prevent automatically removing emergency accounts.AAA Services Security Requirements Guide V-204681CAT IIIAAA Services must be configured to prevent automatically disabling emergency accounts.AAA Services Security Requirements Guide V-274150CAT IIAmazon Linux 2023 must automatically expire temporary accounts within 72 hours.Amazon Linux 2023 Security Technical Implementation Guide V-268079CAT IINixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.Anduril NixOS Security Technical Implementation Guide V-252444CAT IIThe macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257150CAT IIThe macOS system must automatically remove or disable temporary and emergency user accounts after 72 hours.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268426CAT IIThe macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277034CAT IIThe macOS system must automatically remove or disable temporary or emergency user accounts within 72 hours.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-237332CAT IIThe ArcGIS Server must be configured such that emergency accounts are never automatically removed or disabled.ArcGIS for Server 10.3 Security Technical Implementation Guide V-256842CAT IICompliance Guardian must provide automated mechanisms for supporting account management functions.AvePoint Compliance Guardian Security Technical Implementation Guide V-255508CAT IIThe CA API Gateway must automatically remove or disable emergency accounts, except the emergency administration account, after 72 hours.CA API Gateway NDM Security Technical Implementation Guide V-219327CAT IIIThe Ubuntu operating system must automatically expire temporary accounts within 72 hours.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238331CAT IIIThe Ubuntu operating system must automatically expire temporary accounts within 72 hours.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260548CAT IIUbuntu 22.04 LTS must automatically expire temporary accounts within 72 hours.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270682CAT IIUbuntu 24.04 LTS must automatically remove or disable emergency accounts after 72 hours.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269128CAT IIAlmaLinux OS 9 must automatically expire temporary accounts within 72 hours.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233126CAT IIThe container platform must never automatically remove or disable emergency accounts.Container Platform Security Requirements Guide V-270919CAT IIThe Dragos Platform must only allow local administrative and service user accounts.Dragos Platform 2.x Security Technical Implementation Guide V-228992CAT IIThe BIG-IP appliance must be configured to automatically remove or disable emergency accounts after 72 hours.F5 BIG-IP Device Management Security Technical Implementation Guide V-203652CAT IIThe information system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.General Purpose Operating System Security Requirements Guide V-237824CAT IThe storage system must be configured to have only 1 emergency account which can be accessed without LDAP, and which has full administrator capabilities.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255279CAT IIThe HPE 3PAR OS must be configured to have only one emergency account that can be accessed without LDAP and that has full administrator privileges.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-215180CAT IIThe AIX system must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.IBM AIX 7.x Security Technical Implementation Guide V-223578CAT IIIBM z/OS system administrator must develop a procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.IBM z/OS ACF2 Security Technical Implementation Guide V-223652CAT IIIBM RACF emergency USERIDs must be properly defined.IBM z/OS RACF Security Technical Implementation Guide V-223761CAT IIThe IBM z/OS system administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours.IBM z/OS RACF Security Technical Implementation Guide V-224036CAT IIIBM z/OS system administrator (SA) must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours.IBM z/OS TSS Security Technical Implementation Guide V-237933CAT IIIBM z/VM must remove or disable emergency accounts after the crisis is resolved or 72 hours.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-205522CAT IIThe Mainframe Product must be configured such that emergency accounts are never automatically removed or disabled.Mainframe Product Security Requirements Guide V-270335CAT IIMicrosoft Entra ID must use Privileged Identity Management (PIM).Microsoft Entra ID Security Technical Implementation Guide V-224849CAT IIWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205710CAT IIWindows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254268CAT IIWindows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278014CAT IIWindows Server 2025 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.Microsoft Windows Server 2025 Security Technical Implementation Guide V-254126CAT IIINutanix AOS must automatically remove or disable temporary user accounts after 72 hours.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-254522CAT IIThe Oracle Linux operating system must automatically expire temporary accounts within 72 hours.Oracle Linux 7 Security Technical Implementation Guide V-248708CAT IIOL 8 must automatically expire temporary accounts within 72 hours.Oracle Linux 8 Security Technical Implementation Guide V-271843CAT IIOL 9 must automatically expire temporary accounts within 72 hours.Oracle Linux 9 Security Technical Implementation Guide V-252847CAT IIRancher MCM must never automatically remove or disable emergency accounts.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-281173CAT IIRHEL 10 must automatically expire temporary accounts within 72 hours.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-254523CAT IIThe Red Hat Enterprise Linux operating system must automatically expire temporary accounts within 72 hours.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-230374CAT IIRHEL 8 must automatically expire temporary accounts within 72 hours.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258047CAT IIRHEL 9 must automatically expire temporary accounts within 72 hours.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-256980CAT IIThe SUSE operating system must automatically expire temporary accounts within 72 hours.SLES 12 Security Technical Implementation Guide V-261355CAT IISLEM 5 must automatically expire temporary accounts within 72 hours.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261356CAT IISLEM 5 must never automatically remove or disable emergency administrator accounts.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217135CAT IIThe SUSE operating system must never automatically remove or disable emergency administrator accounts.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-256980CAT IIThe SUSE operating system must automatically expire temporary accounts within 72 hours.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-252954CAT IITOSS must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282352CAT IITOSS 5 must automatically expire temporary accounts within 72 hours.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240466CAT IIThe SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239559CAT IIThe SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256375CAT IIAccess to the ESXi host must be limited by enabling lockdown mode.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-256323CAT IIThe vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258737CAT IIIThe ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-258909CAT IIThe vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207398CAT IIThe VMM must automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.Virtual Machine Manager Security Requirements Guide V-73285CAT IIWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.Windows Server 2016 Security Technical Implementation Guide V-73285CAT IIWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.Windows Server 2016 Security Technical Implementation Guide V-92977CAT IIWindows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.Windows Server 2019 Security Technical Implementation Guide