800-53|AC-10

Title

CONCURRENT SESSION CONTROL

Description

The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

Supplemental

Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts.

Reference Item Details

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P3

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.5.5 Ensure number of concurrent sessions is limitedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
3.1.11 Set maximum connection limits - MAX_CONNECTIONSUnixCIS IBM DB2 v10 v1.1.0 Linux OS Level 1
3.1.11 Set maximum connection limits - MAX_CONNECTIONSUnixCIS IBM DB2 v10 v1.1.0 Linux OS Level 2
3.1.11 Set maximum connection limits - MAX_COORDAGENTSUnixCIS IBM DB2 v10 v1.1.0 Linux OS Level 1
3.1.11 Set maximum connection limits - MAX_COORDAGENTSUnixCIS IBM DB2 v10 v1.1.0 Linux OS Level 2
3.1.11 Set maximum connection limits - MAXAPPLSUnixCIS IBM DB2 v10 v1.1.0 Linux OS Level 1
3.1.11 Set maximum connection limits - MAXAPPLSUnixCIS IBM DB2 v10 v1.1.0 Linux OS Level 2
3.1.14 Set maximum connection limits - 'max_connections <= 100'UnixCIS IBM DB2 OS L2 v1.2.0
3.1.14 Set maximum connection limits - 'max_coordagents <= 100'UnixCIS IBM DB2 OS L2 v1.2.0
3.1.14 Set maximum connection limits - 'maxappls <= 99'UnixCIS IBM DB2 OS L2 v1.2.0
5.3.22 Ensure SSH MaxSessions is limitedUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
5.3.22 Ensure SSH MaxSessions is limitedUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
5.9 Ensure number of concurrent sessions is limitedUnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.11 Disable ability to login to another user's active and locked sessionUnixCIS Apple OSX 10.10 Yosemite L1 v1.2.0
5.11 Disable ability to login to another user's active and locked sessionUnixCIS Apple OSX 10.11 El Capitan L1 v1.1.0
5.11 Disable ability to login to another user's active and locked sessionUnixCIS Apple OSX 10.9 L1 v1.3.0
5.13 Disable ability to login to another user's active and locked sessionUnixCIS Apple macOS 10.12 L1 v1.2.0
5.15 Disable Fast User SwitchingUnixCIS Apple OSX 10.10 Yosemite L2 v1.2.0
5.15 Disable Fast User SwitchingUnixCIS Apple OSX 10.11 El Capitan L2 v1.1.0
5.15 Disable Fast User SwitchingUnixCIS Apple OSX 10.9 L2 v1.3.0
5.16 Disable Fast User SwitchingUnixCIS Apple macOS 10.13 L2 v1.1.0
5.17 Disable Fast User SwitchingUnixCIS Apple macOS 10.12 L2 v1.2.0
9.2 Ensure KeepAlive Is EnabledUnixCIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware
18.9.59.3.2.1 Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 2 v3.2.0
Access Security - J-Web - Set session-limit restrictions suitable for your environmentJuniperJuniper Hardening JunOS 12 Devices Checklist
Access Security - SSH - Set connection-limit and rate-limit restrictions - connection-limitJuniperJuniper Hardening JunOS 12 Devices Checklist
AIX7-00-001004 - AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.UnixDISA STIG AIX 7.x v2r5
AOSX-14-000050 - The macOS system must limit the number of concurrent SSH sessions to 10 for all accounts and/or account types.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - KeepAliveUnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - KeepAliveUnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - MaxKeepAliveRequestsUnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - MaxKeepAliveRequestsUnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000020 - The Apache web server must perform server-side session management - httpdUnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000020 - The Apache web server must perform server-side session management - httpdUnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000020 - The Apache web server must perform server-side session management - session_moduleUnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000020 - The Apache web server must perform server-side session management - session_moduleUnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000020 - The Apache web server must perform server-side session management - usertrack_moduleUnixDISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000020 - The Apache web server must perform server-side session management - usertrack_moduleUnixDISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U2-000020 - The Apache web server must perform server-side session management - session_moduleUnixDISA STIG Apache Server 2.4 Unix Site v2r2
AS24-U2-000020 - The Apache web server must perform server-side session management - session_moduleUnixDISA STIG Apache Server 2.4 Unix Site v2r2 Middleware
AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_moduleUnixDISA STIG Apache Server 2.4 Unix Site v2r2
AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_moduleUnixDISA STIG Apache Server 2.4 Unix Site v2r2 Middleware
AS24-W1-000010 - The Apache web server must limit the number of allowed simultaneous session requests.WindowsDISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W1-000020 - The Apache web server must perform server-side session management - session_moduleWindowsDISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W1-000020 - The Apache web server must perform server-side session management - usertrack_moduleWindowsDISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W2-000010 - The Apache web server must limit the number of allowed simultaneous session requests.WindowsDISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000020 - The Apache web server must perform server-side session management.WindowsDISA STIG Apache Server 2.4 Windows Site v2r1
BIND-9X-001050 - The BIND 9.x secondary name server must limit the number of zones requested from a single master name server.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001051 - The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.UnixDISA BIND 9.x STIG v2r2
BIND-9X-001052 - The BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.UnixDISA BIND 9.x STIG v2r2