RFC 3871           Operational Security Requirements      September 2004

   Examples.

      None.

   Warnings.

      None.

2.12.4.  Ability to Disable All Local Accounts

   Requirement.

      The device MUST provide a means of disabling all local accounts

      including:

   *  local users,

   *  default accounts (vendor, maintenance, guest, etc.),

   *  privileged and unprivileged accounts.

      A local account defined as one where all information necessary for

      user authentication is stored on the device.

   Justification.

      Default accounts, well known accounts, and old accounts provide

      easy targets for someone attempting to gain access to a device.

      It must be possible to disable them to reduce the potential

      vulnerability.

   Examples.

      The implementation depends on the types of authentication

      supported by the device.

   Warnings.

      None.

2.12.5.  Support Centralized User Authentication Methods

   Requirement.

      The device MUST support a method of centralized authentication of

      all user access via standard authentication protocols.

Jones                        Informational                     [Page 57]