1.2.10 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'

Information

If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.

Rationale:

This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.

Impact:

Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling 'exec-timeout' with an appropriate length of minutes or seconds prevents unauthorized access of abandoned sessions.

Solution

Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.

hostname(config)#line vty {line_number} [ending_line_number]
hostname(config-line)#exec-timeout <<span>timeout_in_minutes> <timeout_in_seconds</span>>

See Also

https://workbench.cisecurity.org/files/3829

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11, CSCv7|16.11

Plugin: Cisco

Control ID: 91f52d1f81056d5e038e8803168b708b05f4dbdd3c5dadd2f6a7546c1b3b7327