2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'

Information

This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable

Microsoft network server: Disconnect clients when logon hours expire

(Rule 2.3.9.4).

The recommended state for this setting is: Enabled

If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/15290

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), CSCv7|16.13

Plugin: Windows

Control ID: 84b8bbc1487cb3586c11b3be7839d9738a7effaad2028a1730ec1b92e2dbafd0