As a WHD Security Officer, I would like the application to disable inactive user accounts after WHD policy settings

[jmmcnj]

• [x] Spike: Investigate how WHISARD currently implements disabling inactive user accounts (CRON job? Db2 Agent job?) and report back findings. Do this but not directly needed for the story.
• [x] Need a task that runs once every day, get a list of all disabled users, send email to someone when users are disabled (can this email be sent every day?) and disables users that are over "90" days old or whatever web.config value is. Will be addressed in #761
• [x] Use Application_Start event to implement the logic above.
• [ ] IIS will restart application every AM.
• [ ] Provide solution for application start logic getting heavy and crashing the application.

Descripition: In Ref to NIST Control AC-2(3), This can not be enforced by the password expiration times. The WHD Organiation Defined Perameter (ODP) will be provided so that it can be enforced by the information system - 60 Days of inactivity.

This would have to be built as a server-side job that runs at some frequency to check accounts and last login datetime stamp. There would be some effort to build this and then have it packaged and deployable in the DOL environment. There would also involve further testing to be done on the application in each environment.

Acceptance Criteria: Existing User with good account, attempts to login after 30 days of inactivity and is usuccessful and prompting to contact the DOL 14c administrator. Considerations:

1. Application Status
2. Role : Existing User

[afrimpong]

Agreed, but where is authentication taking place?

[jmmcnj]

Authentication is taking place within the ASP.NET Identity Management framework through username/password forms authentication

[jmmcnj]

This is an internal system type of policy, should not be used for public facing citizen based web applications that are accessing the system on a bi-annual basis. This will discourage citizens from using the system.

[bggordon]

Agreed, but the information systems needs to provide this capability should WHD wish to enforce it. Not enforcing this requirement would require WHD to obtain a formally documented exception from DOL.

[jmmcnj]

I think we are going to need arbitration on this one and/or maybe a discussion, will post in slack to get 18F to weigh in on this....

[mgwalker]

I will agree that we need to discuss this. I feel like a website designed for citizen use every six months should not disable/lock accounts for 30 days of inactivity. Doing so basically makes the site useless and completely undermines the purpose.

If this is absolutely required, it need not necessarily be functionality provided directly by the WHD app. A scheduled job (e.g., a cron job) run on a regular basis (perhaps hourly or daily) could execute a SQL command to disable inactive accounts.

[jmmcnj]

@mgwalker Was there further discussion on this and what was the result if so...

[rrefoy]

DOL will decide internally. This is not a priority for AIS.

[mgwalker]

Thanks @afrimpong for explaining this in detail! This is definitely a good user story, and it will probably need to be broken into a few more user stories as well. Basically, the accounts will be disabled after some amount of time, and they can be re-enabled by the users themselves by re-verifying their email address (and maybe some other verification information, like their EIN). From the user's perspective, it would likely be a lot like a password reset.

This will go into the next buy.

[binwang89]

NIST SP 800-53 Assigned Priority: P1 The information system must automatically disable accounts after 60 days of inactivity, and alert the necessary personnel of such an event.

[EStriegel]

Per discussions with security, accounts will be disabled after 60 days. To re-enable, users will be forced to change password next time they attempt log-in.

[PrabhakarThummalaDOL]

New story #798 for the last two items in the list (IIS related). Closing the current story.