The MDM server must terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events such as idle time limit exceeded.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-36056 | SRG-APP-220-MDM-052-SRV | SV-47446r1_rule | Medium |
| Description |
|---|
| If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to highjack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability. |
| STIG | Date |
|---|---|
| Mobile Device Manager Security Requirements Guide | 2013-01-24 |
Details
| Check Text ( C-44295r1_chk ) |
|---|
| Review the MDM server configuration, server configuration, and organizational policy to determine the system is configured to terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events such as idle time limit exceeded. If the configuration is not set to terminate administrator sessions per defined events, this is a finding. |
| Fix Text (F-40586r1_fix) |
|---|
| Configure the MDM server to terminate administrator sessions upon administrator logout or any other organization or policy defined session termination events. |