UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The application server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35070 SRG-APP-000001-AS-000001 SV-46335r3_rule Medium
Description
Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in limiting risks related to Denial of Service attacks. Application servers host and expose business logic and application processes. The application server must possess the capability to limit the maximum number of concurrent sessions in a manner that affects the entire application server or on an individual application basis. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
STIG Date
Application Server Security Requirements Guide 2018-09-13

Details

Check Text ( C-43459r4_chk )
Review the application server product documentation and configuration to determine if the number of concurrent sessions can be limited to the organization-defined number of sessions for all accounts and/or account types.

If a feature to limit the number of concurrent sessions is not available, is not set, or is set to unlimited, this is a finding.
Fix Text (F-39623r4_fix)
Configure the application server to limit the number of concurrent sessions for all accounts and/or account types to the organization-defined number.