2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'

Information

This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4).

The recommended state for this setting is: Enabled.

Rationale:

If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire

Default Value:

Enabled. (When a user's logon time expires, client sessions with the SMB server will be forcibly disconnected. The user will be unable to log on to the computer until their next scheduled access time commences.)

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(12), CCE|CCE-34993-6, CSCv7|16.13

Plugin: Windows

Control ID: 8a6b61652c84356f16f96738a7644d63134db8f59a9c3a65e6bed326c2dbf725