20.19 Ensure 'Directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity' (STIG DC only)

Information

This policy setting ensures that the directory service is configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.

The STIG recommended state for this setting is: 300 (5 minutes) or less

Failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the directory service to terminate LDAP-based network connections to the directory server after 300 (5 minutes) or less of inactivity:

- Open an elevated

Command Prompt

(run as administrator), type

ntdsutil

- At the

ntdsutil:

prompt: type

LDAP policies

- At the

ldap policy:

prompt: type

connections

- At the

server connections:

prompt: type

connect to server [host-name]

(where [host-name] is the computer name of the domain controller)
- At the

server connections:

prompt, type

q

- At the

ldap policy:

prompt: type

Set MaxConnIdleTime to 300

- Type

Commit Changes

to save
- Type

Show values

to verify changes
- Type

q

at the

ldap policy:

and

ntdsutil:

prompts to exit

Impact:

LDAP-based network connections to the directory server will terminate after five minutes of inactivity.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12

Plugin: Windows

Control ID: ae4b1d7f57b79b3327b297d4e9eea12bab1ca8dac803ea52ff0fd047cf71ef96