800-53|AC-11

Title

SESSION LOCK

Description

The information system:

Supplemental

Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.

Reference Item Details

Related: AC-7

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P3

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.6.2 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.6.10 Set 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.9.14 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'WindowsCIS Windows 8 L1 v1.0.0
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows Server 2012 DC L1 v2.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Windows Server 2012 MS L1 v2.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows Server 2012 MS L1 v2.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Windows Server 2012 DC L1 v2.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.10 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.10 Set 'transport input none' for 'line aux 0'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.2.10 Set 'transport input none' for 'line aux 0'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.2.11 Set 'transport input none' for 'line aux 0'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 10 v1.0.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 9 v1.0.1 L1
1.8.4 Ensure GDM screen locks when the user is idle - idle-delayUnixCIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle - idle-delayUnixCIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle - lock-delayUnixCIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle - lock-delayUnixCIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.8.5 Ensure GDM screen locks cannot be overridden - idle-delayUnixCIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.8.5 Ensure GDM screen locks cannot be overridden - idle-delayUnixCIS Ubuntu Linux 22.04 LTS Workstation L1 v1.0.0
1.8.5 Ensure GDM screen locks cannot be overridden - lock-delayUnixCIS Ubuntu Linux 22.04 LTS Server L1 v1.0.0
1.11 Ensure Deny access after failed login attempts is selectedCheckPointCIS Check Point Firewall L1 v1.1.0
1.12 Ensure Maximum number of failed attempts allowed is set to 5 or fewerCheckPointCIS Check Point Firewall L1 v1.1.0
1.13 Ensure Allow access again after time is set to 300 or more secondsCheckPointCIS Check Point Firewall L1 v1.1.0