STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 (9) — Identification and Authentication (Organizational Users)

CCI-001942

Definition

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Parent Control

IA-2 (9)Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (46)

V-222531CAT IIThe application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Application Security and Development Security Technical Implementation Guide V-237327CAT IIThe ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-237366CAT IIThe CA API Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.CA API Gateway ALG Security Technical Implementation Guide V-219308CAT IThe Ubuntu operating system must enforce SSHv2 for network access to all accounts.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-237578CAT IICounterACT, when providing user authentication intermediary services, must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.ForeScout CounterACT ALG Security Technical Implementation Guide V-267001CAT IAOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-215179CAT IAIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.IBM AIX 7.x Security Technical Implementation Guide V-252561CAT IIIBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252589CAT IIIBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252606CAT IIIBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-65223CAT IIThe DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.IBM DataPower ALG Security Technical Implementation Guide V-251026CAT IIThe Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251026CAT IIThe Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-66679CAT IIThe Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.Juniper SRX SG VPN Security Technical Implementation Guide V-214696CAT IIThe Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-235774CAT IIThe built-in DNS client must be disabled.Microsoft Edge Security Technical Implementation Guide V-224965CAT IIKerberos user logon restrictions must be enforced.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224966CAT IIThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224967CAT IIThe Kerberos user ticket lifetime must be limited to 10 hours or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224968CAT IIThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224969CAT IIThe computer clock synchronization tolerance must be limited to 5 minutes or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205702CAT IIWindows Server 2019 Kerberos user logon restrictions must be enforced.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205703CAT IIWindows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205704CAT IIWindows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205705CAT IIWindows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205706CAT IIWindows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254386CAT IIWindows Server 2022 Kerberos user logon restrictions must be enforced.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254387CAT IIWindows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254388CAT IIWindows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254389CAT IIWindows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254390CAT IIWindows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254205CAT IINutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-273206CAT IIOkta must be configured to disable persistent global session cookies.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-258121CAT IIRHEL 9 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-261327CAT ISLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-216387CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 SPARC Security Technical Implementation Guide V-216150CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 X86 Security Technical Implementation Guide V-94291CAT IISymantec ProxySG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Symantec ProxySG ALG Security Technical Implementation Guide V-240460CAT IIThe SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239554CAT IIThe SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256402CAT IIIThe ESXi host must use Active Directory for local user authentication.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-256503CAT IIThe Photon operating system must use an OpenSSH server version that does not support protocol 1.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256318CAT IThe vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258737CAT IIIThe ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.VMware vSphere 8.0 ESXi Security Technical Implementation Guide