The IDPS must limit the number of concurrent sessions for each account to an organizationally defined number.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-NET-000053-IDPS-000001 | SRG-NET-000053-IDPS-000001 | SRG-NET-000053-IDPS-000001_rule | Low |
| Description |
|---|
| This requirement addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple accounts. In many products, this value defaults to unlimited which leaves the device open to DoS attacks. An organizationally defined value should be configured. Limiting the number of concurrent sessions to the device per any given account mitigates the risk associated with a Denial of Service (DoS) attack. |
| STIG | Date |
|---|---|
| IDPS Security Requirements Guide (SRG) | 2012-03-08 |
Details
| Check Text ( C-43112_chk ) |
|---|
| View the user account management screens. Verify the number of concurrent sessions setting is not set to unlimited. Verify the number of concurrent sessions is set to an organizationally defined value. (Recommended value is 3 or fewer.) If the number of concurrent sessions for accounts is set to unlimited, this is a finding. If the number of concurrent sessions is not set to an organizationally defined value, this is a finding. |
| Fix Text (F-43112_fix) |
|---|
| Navigate to the user account management screen. Set the default concurrent sessions for user accounts to an organizationally defined value. |