VCSA-70-000089 - The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.

Information

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free resources committed by the managed network element.

Satisfies: SRG-APP-000190, SRG-APP-000295, SRG-APP-000389

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Administration >> Deployment >> Client Configuration.

Click 'Edit' and enter '10' minutes into the 'Session timeout' setting. Click 'Save'.

Note: If vCenter is not 7.0 U2 or newer, this setting is not available through the UI and must be checked with the 'session.timeout' setting in the '/etc/vmware/vsphere-ui/webclient.properties file'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-12, 800-53|IA-11, 800-53|SC-10, CAT|II, CCI|CCI-001133, CCI|CCI-002038, CCI|CCI-002361, Rule-ID|SV-256334r885613_rule, STIG-ID|VCSA-70-000089, Vuln-ID|V-256334

Plugin: VMware

Control ID: 3a420fa5117bfe0fcf400d9f0277149db4220c161e95a4de011f3322e2eeb1ba