| Control ID: AC-7 Unsuccessful Authentication Attempts |
Family: Access Control |
Source: NIST 800-53r4 |
Control: The information system:
- Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
- Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
|
Supplemental Guidance:
This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.
Related Controls:
AC-2,
AC-14,
IA-5,
AC-9
|
| Control Enhancements:
N/A
|
| References: N/A |
| Mechanisms:
- The device supports the functionality of defining what types of authentication attempts shall be counted for the purposes of further security action
.
- The device shall support login as one of these types of authentication attempts and may support other types of authentication attempts, for example authentication attempts for specific types of access to specific resources.
- The device shall support counting unsuccessful authentication attempts for users and locking them out for a period of time.
- The device is configurable such that for accounts with identified privileged roles the threshold number of unsuccessful login attempts is 3 in five minutes and the lockout period is five minutes starting immediately after the third unsuccessful login attempt.
- The device may be configurable such that a user role exists that allows a user in that role to unlock other user accounts before the lockout period expires.
- This feature should not reveal valid users of the system through the invalid login error messages it gives. Generic error messages should be provided that do not reveal valid user information.
- The authentication system response time should not noticeably different for valid and invalid users.
|
Protocol Implementation Conformance Statements:
| ID |
Statement |
Status |
Reference |
Notes |
| AC-7/1
|
Support defining at least one type of authentication attempt as one to be counted for further security action
|
M
|
|
|
| AC-7/2
|
Support logon as one of those authentication attempts
|
M
|
|
|
| AC-7/3
|
Support other types of authentication attempts
|
O
|
|
|
| AC-7/4
|
Support the mechanism of AC-7/1 such that for accounts with identified privileged roles the threshold number of unsuccessful login attempts is 3 in five minutes and the lockout period is five minutes starting immediately after the third unsuccessful login attempt
|
M
|
AC-7/1
|
|
| AC-7/5
|
Support that a role exists which can unlock locked accounts before the lockout period expires
|
O
|
|
|
|
