6.3 Ensure that SharePoint user sessions are terminated upon user logoff and when the idle time limit is exceeded

Information

The SharePoint platform should be configured with a user session idle time limit of 15 minutes.
Rationale:
Whenever a SharePoint user sessions is started, a unique session ID and other session information are generated. Such information can be used be a malicious user to hijack the session. By terminating sessions upon user logoff and idle time limit, the underlying session information is invalidated. Therefore, the potential for the session to be hijacked is removed.

Solution

Review the SharePoint server configuration to ensure user sessions are terminated upon user logoff, and when idle time limit is exceeded.
Navigate to Central Administration website.
Click Application Management.
Click Manage Web Applications.
Repeat the following steps for each web application:
* Select the Web Application.
* Click General Settings in the Web Application ribbon.
* In the Web Page Security Validation section, verify that Security Validation is: is set to On and that the Security Validation Expires: setting is set to 15 minutes

See Also

https://workbench.cisecurity.org/files/2031

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12, CSCv6|3.1, CSCv6|5.1

Plugin: Windows

Control ID: be2b5e687867a898494ecad15ea61d49f35c8ebcc5d1b1b704f6bfc6f183dd85