Title

The Cisco ISE must limit the number of CLI and GUI sessions to an organization-defined number. (Cat III impact)

Discussion

Device management includes the ability to control the number of management sessions that manage a device. Limiting the number of allowed sessions is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative access. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. At a minimum, limits must be set for SSH and HTTPS sessions.

Check Content

From the web Admin portal: 1. Choose Administration >> System >>Admin Access >> Settings >> Access. 2. Verify the "Maximum Concurrent Sessions" under "GUI" Sessions is set to the organization-defined number. 3. Verify the "Maximum Concurrent Sessions" under "CLI" Sessions is set to one (recommended) or an organization-defined number. It is highly recommended the number be minimized to one or two, but this can be based on operational needs. If the CLI and GUI are not set to limit the maximum number of sessions, this is a finding.

Fix Text

Configure the concurrent sessions for the CLI and GUI. From web admin portal: 1. Choose Administration >> System >>Admin Access >> Settings >> Access. 2. Configure the "Maximum Concurrent Sessions" under "GUI" to be the organization-defined number. 3. Configure the "Maximum Concurrent Sessions" under "CLI" to be one.

Additional Identifiers

Rule ID: SV-242607r1025177_rule

Vulnerability ID: V-242607

Group Title: SRG-APP-000001-NDM-000200

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.