UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-14831 DS00.3370_AD SV-16171r2_rule ECTM-1 ECTM-2 Low
Description
- The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.
STIG Date
Active Directory Service 2008 Security Technical Implementation Guide (STIG) 2011-05-23

Details

Check Text ( C-14088r2_chk )
1. Use either the ntdsutil.exe or the dsquery.exe utility to display the value for MaxConnIdleTime in the lDAPAdminLimits attribute. (See instructions in Supplementary Notes.)

2. If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, then this is a finding.

Supplemental Notes:

To use the “ntdsutil.exe” utility to display MaxConnIdleTime:
1. At a command line prompt enter ntdsutil
2. At the “ntdsutil:” prompt, enter LDAP policies
3. At the “ldap policy:” prompt, enter connections
4. At the “server connections:” prompt, enter connect to server [host-name]
(Where [host-name] is the computer name of the domain controller.)
5. At the “server connections:” prompt, enter q
6. At the “ldap policy:” prompt, enter show values
7. Enter q at the “ldap policy:” and “ntdsutil:” prompts to exit.

To use the “dsquery.exe” utility to display MaxConnIdleTime:
1. At a command line prompt enter (on a single line):
dsquery * “cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" attr lDAPAdminLimits
(Where the quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed.)
Fix Text (F-15003r2_fix)
Configure the directory service to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.