Back

Establish, implement, and maintain the interactive logon settings.


CONTROL ID
01739
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure the system to refrain from completing authentication methods when a security breach is detected., CC ID: 13790
  • Allow logon to privileged accounts, as appropriate., CC ID: 05281
  • Verify the logon accounts include an appropriate GECOS identifier, as appropriate., CC ID: 05280
  • Configure the "/etc/shadow" settings to organizational standards., CC ID: 15332
  • Set the default su console properly., CC ID: 05279
  • Set the default logon console properly., CC ID: 05278
  • Enable or disable local user logon to the vsftpd service, as appropriate., CC ID: 05277
  • Enable or disable anonymous root logons, as appropriate., CC ID: 05276
  • Enable or disable interactive logon to non-root system accounts, as necessary., CC ID: 05275
  • Enable or disable logins through the primary console device, as appropriate., CC ID: 05274
  • Enable or disable logins through the named virtual console device, as appropriate., CC ID: 05273
  • Enable or disable logons through the named virtual console interface, as appropriate., CC ID: 05272
  • Configure the "Interactive logon: Do not display last user name" setting to organizational standards., CC ID: 01740
  • Configure the "Interactive logon: Do not require CTRL+ALT+DEL" setting., CC ID: 01741
  • Configure the system logon banner., CC ID: 01742
  • Configure the system logon banner message title., CC ID: 01743
  • Configure the "interactive logon: number of previous logons to cache (in case domain controller is not available" setting., CC ID: 01744
  • Configure the "Interactive logon: Require Domain Controller authentication to unlock workstation" setting., CC ID: 01746
  • Configure the Prompt for password on resume from hibernate / suspend setting., CC ID: 04356
  • Configure the "Interactive logon: Smart card removal behavior" setting., CC ID: 01747
  • Configure the "Recovery console: Allow automatic administrative logon" setting., CC ID: 01776
  • Configure the "Recovery console: Allow floppy copy and access to all drivers and all folders" setting., CC ID: 01777
  • Configure the system to require an Open Firmware password on system startup., CC ID: 04479
  • Configure the "Interactive logon: Require removal card" setting., CC ID: 06053


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For system accounts on behalf of which critical services or servers are run, the control system shall provide the capability to disallow interactive logons. (5.13.1 ¶ 2, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Interactive use is prevented unless needed for an exceptional circumstance. (8.6.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Interactive use is limited to the time needed for the exceptional circumstance. (8.6.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Interactive use is prevented unless needed for an exceptional circumstance. (8.6.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Interactive use is limited to the time needed for the exceptional circumstance. (8.6.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Interactive use is prevented unless needed for an exceptional circumstance. (8.6.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Interactive use is limited to the time needed for the exceptional circumstance. (8.6.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Interactive use is prevented unless needed for an exceptional circumstance. (8.6.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Interactive use is limited to the time needed for the exceptional circumstance. (8.6.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Interactive use is limited to the time needed for the exceptional circumstance. (8.6.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Interactive use is prevented unless needed for an exceptional circumstance. (8.6.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Sign-on mechanisms should be configured to provide information so that they display no identifying details until after sign-on is completed successfully. (CF.06.07.03a, The Standard of Good Practice for Information Security)
  • Network devices should be configured to integrate with access control mechanisms in other devices (e.g., to provide strong authentication). (CF.09.01.04d, The Standard of Good Practice for Information Security)
  • Sign-on mechanisms should be configured to provide information so that they display no identifying details until after sign-on is completed successfully. (CF.06.07.03a, The Standard of Good Practice for Information Security, 2013)
  • Network devices should be configured to integrate with access control mechanisms in other devices (e.g., to provide strong authentication). (CF.09.01.04d, The Standard of Good Practice for Information Security, 2013)