1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'

Information

If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.

Rationale:

This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.

This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.

Solution

Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.

ip http timeout-policy idle 600 life {nnnn} requests {nn}

Default Value:

disabled

See Also

https://workbench.cisecurity.org/files/3801

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|IA-5, CSCv7|5.1

Plugin: Cisco

Control ID: 2899d2a5ba6e8d0a9a30b4335548b5f044981c75fac8c200b9fd58527d8524bd