WN12-AD-000014-DC - The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.

Information

The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the directory service to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.

Open an elevated command prompt.
Enter 'ntdsutil'.
At the 'ntdsutil:' prompt, enter 'LDAP policies'.
At the 'ldap policy:' prompt, enter 'connections'.
At the 'server connections:' prompt, enter 'connect to server [host-name]'.
(Where [host-name] is the computer name of the domain controller.)
At the 'server connections:' prompt, enter 'q'.
At the 'ldap policy:' prompt, enter 'Set MaxConnIdleTime to 300'.
Enter 'Commit Changes' to save.
Enter 'Show values' to verify changes.
Enter 'q' at the 'ldap policy:' and 'ntdsutil:' prompts to exit.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R7_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-10, CAT|III, CCI|CCI-001133, Rule-ID|SV-226083r794805_rule, STIG-ID|WN12-AD-000014-DC, STIG-Legacy|SV-51188, STIG-Legacy|V-14831, Vuln-ID|V-226083

Plugin: Windows

Control ID: 4a8ce66f83dc9fb653980efe029bc3befb6dd6414f35b090fe42331745f9dd0b