800-53|AC-2(3)

Title

DISABLE INACTIVE ACCOUNTS

Description

The information system automatically disables inactive accounts after [Assignment: organization-defined time period].

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: ACCESS CONTROL

Parent Title: ACCOUNT MANAGEMENT

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.1.4 Ensure Guest Users are reviewed at least biweekly	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days	Palo_Alto	CIS Palo Alto Firewall 10 v1.2.0 L1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 days	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
1.4.1.3 Ensure known default accounts do not exist	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.8 Ensure that users who did not log in for 90 days are disabled	Snowflake	CIS Snowflake Foundations v1.0.0 L1
1.12 Ensure credentials unused for 45 days or more are disabled	amazon_aws	CIS Amazon Web Services Foundations v4.0.1 L1
2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.16 Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.2.17 Ensure 'Deny log on as a batch job' to include 'Guests'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
2.11 Lock Out Accounts if Not Currently in Use	MySQLDB	CIS Oracle MySQL Enterprise Edition 8.0 v1.4.0 L2 Database
2.11 Lock Out Accounts if Not Currently in Use	MySQLDB	CIS Oracle MySQL Community Server 8.4 v1.0.0 L2 Database
2.11 Lock Out Accounts if Not Currently in Use	MySQLDB	CIS MySQL 8.0 Community Database L2 v1.1.0
2.11 Lock Out Accounts if Not Currently in Use	MySQLDB	CIS Oracle MySQL Enterprise Edition 8.4 v1.0.0 L2 MySQL RDBMS
2.13 Ensure 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2012 Database L1 AWS RDS v1.6.0
2.13 Ensure 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2012 Database L1 DB v1.6.0
2.13 Ensure 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2014 Database L1 DB v1.5.0
2.13 Ensure 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2014 Database L1 AWS RDS v1.5.0
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2016 Database L1 DB v1.4.0
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS Microsoft SQL Server 2019 v1.4.0 L1 Database Engine
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2022 Database L1 DB v1.1.0
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS Microsoft SQL Server 2019 v1.4.0 L1 AWS RDS
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2017 Database L1 AWS RDS v1.3.0
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2017 Database L1 DB v1.3.0
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2022 Database L1 AWS RDS v1.1.0
2.13 Ensure the 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2016 Database L1 AWS RDS v1.4.0
2.14 Ensure 'sa' Login Account is set to 'Disabled'	MS_SQLDB	CIS SQL Server 2008 R2 DB Engine L1 v1.7.0
10.5 Lock Inactive User Accounts	Unix	CIS Debian Linux 7 L1 v1.0.0
10.5 Lock Inactive User Accounts	Unix	CIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.2.1 Ensure 'Audit Application Group Management' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1
18.2.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
18.3.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)	Windows	CIS Microsoft Windows Server 2016 v3.0.0 L1 MS
18.3.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)	Windows	CIS Windows Server 2012 MS L1 v3.0.0
18.3.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)	Windows	CIS Windows Server 2012 R2 MS L1 v3.0.0
18.3.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS
18.9.46.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'	Windows	CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 DC
18.9.46.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'	Windows	CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS
18.9.46.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
18.9.46.1 Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'	Windows	CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC

Detections

Analytics

800-53|AC-2(3)

Title

Description

Reference Item Details

Audit Items