Rule ID
SV-242617r960840_rule
Version
V2R3
CCIs
CCI-000044
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. If the administrator enters an incorrect password three times, the Admin portal locks the account, adds a log entry in the Server Administrator Logins report, and suspends the credentials until it is reset.
Verify ISE will disable accounts for at least 15 minutes after a maximum of three consecutive invalid logon attempts. From web admin portal: 1. Choose Administration >> System >> Admin Access >> Authentication >> Lock/Suspend Settings. 2. Verify the "Take action after [ ] failed attempts" setting is set to a value of 3 or lower. 3. Verify the "Suspend account for [ ] minutes" setting is selected and set to be 15 minutes or higher If the lockout for admin accounts is not configured to lock the account after a maximum of three incorrect passwords are attempted, this is a finding. If the lockout for admin accounts is not configured to lock the account for a minimum of 15 minutes, this is a finding.
Configure ISE to disable accounts for at least 15 minutes after a maximum of three consecutive invalid logon attempts. From web admin portal: 1. Choose Administration >> System >> Admin Access >> Authentication >> Lock/Suspend Settings. 2. Configure the "Take action after [ ] failed attempts" setting to be set to a value of 3 or lower. 3. Check the "Suspend account for [ ] minutes" setting and set to be 15 minutes or higher. 4. Click Save. Note: This setting will propagate to the ADE-OS applying the settings for the CLI accounts as well.