WN22-DC-000160 - Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.

Information

The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.

Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109

Solution

Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.

Open an elevated 'Command prompt' (run as administrator).

Enter 'ntdsutil'.

At the 'ntdsutil:' prompt, enter 'LDAP policies'.

At the 'ldap policy:' prompt, enter 'connections'.

At the 'server connections:' prompt, enter 'connect to server [host-name]' (where [host-name] is the computer name of the domain controller).

At the 'server connections:' prompt, enter 'q'.

At the 'ldap policy:' prompt, enter 'Set MaxConnIdleTime to 300'.

Enter 'Commit Changes' to save.

Enter 'Show values' to verify changes.

Enter 'q' at the 'ldap policy:' and 'ntdsutil:' prompts to exit.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V2R2_STIG.zip

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-12, 800-53|SC-10, CAT|III, CCI|CCI-001133, CCI|CCI-002361, Rule-ID|SV-254400r970703_rule, STIG-ID|WN22-DC-000160, Vuln-ID|V-254400

Plugin: Windows

Control ID: 0f152d53828150a03e5b50ae0ea7a312f9ee0ebad880248b68eefbb790542608