STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 4 Release: 9 Benchmark Date: 25 Jan 2019: The application must provide a capability to limit the number of logon sessions per user.

DISA Rule

SV-83861r1_rule

Vulnerability Number

V-69239

Group Title

SRG-APP-000001

Rule Version

APSC-DV-000010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Design and configure the application to specify the number of logon sessions that are allowed per user.

Check Contents

For production environments; Review the system documentation, identify the number of application user logon sessions allowed per user, identify the methods utilized for user session management or have application administrator describe how the application implements user session management.

Utilize the management interface that is used to set the user session values, or examine configuration files in order to review user session configuration settings.

Ensure the number of sessions allowed per user is specified in accordance with the organizational requirements.

For development environments; have the developer provide design documentation or demonstrate how the application is designed to limit the number of simultaneous user logon sessions.

If the application is not configured to limit the number of logon sessions per user as defined by the organization, this is a finding.

Vulnerability Number

V-69239

Documentable

False

Rule Version

APSC-DV-000010

Mitigations

APSC-DV-000010

Severity Override Guidance

For production environments; Review the system documentation, identify the number of application user logon sessions allowed per user, identify the methods utilized for user session management or have application administrator describe how the application implements user session management.

Utilize the management interface that is used to set the user session values, or examine configuration files in order to review user session configuration settings.

Ensure the number of sessions allowed per user is specified in accordance with the organizational requirements.

For development environments; have the developer provide design documentation or demonstrate how the application is designed to limit the number of simultaneous user logon sessions.

If the application is not configured to limit the number of logon sessions per user as defined by the organization, this is a finding.

Check Content Reference

M

Mitigation Control

Use web or application server session management
capabilities to limit the number of user application sessions or
build session management capabilities into the
application.

Target Key

3009

Comments