Network Device Management Rules : Ensuring limited login attempts
  
Ensuring limited login attempts
Rule Title: RiOS must enforce the limit of three (3) consecutive invalid login attempts by a user during a 15-minute time period for device console access.
STIG ID: RICX-DM-000024
Rule ID: SV-77349r1_rule Severity: CAT II
Vuln ID: V-62859 Class: Unclass
By limiting the number of failed login attempts, the risk of unauthorized system access through user password guessing, otherwise known as brute-forcing, is reduced.
Verifying the system is configured for a limited number of login attempts
Verify that RiOS is configured to limit the number of invalid login attempts during a 15-minute period to 3.
1. Connect to the Management Console.
2. Choose Administration > Security: Password Policy to display the Password Policy page.
3. Verify that the Maximum unsuccessful logins before account lockout text box is set to 3.
4. Verify that the Wait before account unlock text box is set to 900 seconds.
5. If these settings are missing or incorrect, this is a security vulnerability finding.
Configuring the system for a limited number of log in attempts
Configure RiOS to limit the number of invalid log in attempts during a 15-minute period to 3.
1. Connect to the Management Console.
2. Choose Administration > Security: Password Policy to display the Password Policy page.
3. Set the Login Attempts Before Lockout text box to 3.
4. Set the Timeout for the User Login After Lockout (seconds) text box to 900 seconds.
5. Click Apply.