800-53|AC-11

Title

SESSION LOCK

Description

The information system:

Supplemental

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-7

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P3

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.2.1.8 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.2.1.8 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.49 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.49 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.2.1.79 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Enabled'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.79 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Enabled'	Windows	CIS Windows 2003 MS v3.1.0
1.1.3.6.2 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.6.10 Set 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.9.14 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'	Windows	CIS Windows 8 L1 v1.0.0
1.1.4 - AirWatch - Set 'timeout in minutes' for 'Sleep'	MDM	AirWatch - CIS Google Android 4 v1.0.0 L1
1.1.4 - AirWatch - Set Auto-lock - 'Inactivity Timeout <= 2'	MDM	AirWatch - CIS Apple iOS 8 v1.0.0 L1
1.1.4 - AirWatch - Set Auto-lock - 'Inactivity Timeout <= 2'	MDM	AirWatch - CIS Apple iOS 9 v1.0.0 L1
1.1.4 - MobileIron - Set 'timeout in minutes' for 'Sleep'	MDM	MobileIron - CIS Google Android 4 v1.0.0 L1
1.1.4 - MobileIron - Set Auto-lock - 'Inactivity Timeout <= 2'	MDM	MobileIron - CIS Apple iOS 9 v1.0.0 L1
1.1.4 - MobileIron - Set Auto-lock - 'Inactivity Timeout <= 2'	MDM	MobileIron - CIS Apple iOS 8 v1.0.0 L1
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.9 Set 'transport input none' for 'line aux 0'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.9 Set 'transport input none' for 'line aux 0'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.10 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.11 Set 'transport input none' for 'line aux 0'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.3.10 Ensure 'Password Profiles' do not exist	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.11 Ensure Deny access after failed login attempts is selected	CheckPoint	CIS Check Point Firewall L1 v1.1.0
1.12 Ensure Maximum number of failed attempts allowed is set to 5 or fewer	CheckPoint	CIS Check Point Firewall L1 v1.1.0
1.13 Ensure Allow access again after time is set to 300 or more seconds	CheckPoint	CIS Check Point Firewall L1 v1.1.0
1.21 Ensure 'Screen timeout' is set to '1 minute or less'	MDM	MobileIron - CIS Google Android v1.3.0 L1
1.21 Ensure 'Screen timeout' is set to '1 minute or less'	MDM	AirWatch - CIS Google Android v1.3.0 L1
1.21 Ensure 'Sleep' is set to 1 minute or less	MDM	AirWatch - CIS Google Android v1.2.0 L1
1.21 Ensure 'Sleep' is set to 1 minute or less	MDM	MobileIron - CIS Google Android v1.2.0 L1
1.23 Ensure 'Sleep' is set to 1 minute or less	MDM	AirWatch - CIS Google Android 7 v1.0.0 L1
1.23 Ensure 'Sleep' is set to 1 minute or less	MDM	MobileIron - CIS Google Android 7 v1.0.0 L1
1.100 - The system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.	Unix	Tenable Fedora Linux Best Practices v2.0.0
1.101 - The system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.	Unix	Tenable Fedora Linux Best Practices v2.0.0
1.110 - The system must initiate a session lock for graphical user interfaces when the screensaver is activated.	Unix	Tenable Fedora Linux Best Practices v2.0.0

Detections

Analytics