Details
Days of non-use before lock-out. The number of days in which a user has not (successfully) logged in before that user is locked out. This only takes effect if Deny access to unused accounts is selected.
Rationale:
User accounts that have been unused for over a given period of time can be automatically disabled. It is recommended that accounts that are unused for 30 days should be disabled. Unused accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.
Solution
Run the following command to set the deny-on-nonuse allowed-days setting.
CLI:
Hostname>set password-controls deny-on-nonuse allowed-days 30
GUI:
Navigate to User Management > Password Policy > Deny access to unused accounts:
Set ‘Days of non-use before lock-out’ to 30 or less.
Note: This setting only takes effect if ‘Deny access to unused accounts’ is enabled.
Default Value:
365
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system CheckPoint.