An error occurred:

Check: IISW-SI-000236

Microsoft IIS 8.5 Site STIG: IISW-SI-000236 (in versions v2 r9 through v1 r2)

Title

The IIS 8.5 websites connectionTimeout setting must be explicitly configured to disconnect an idle session. (Cat II impact)

Discussion

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

Check Content

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Verify the "timeout" is set to "00:20:00 or less”, using the lowest value possible depending upon the application. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. If "timeout" is not set to "00:20:00 or less”, this is a finding.

Fix Text

Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name. Select "Configuration Editor" under the "Management" section. From the "Section:" drop-down list at the top of the configuration editor, locate "system.web/sessionState". Set the "timeout" to "00:20:00 or less”, using the lowest value possible depending upon the application. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. In the "Actions" pane, click "Apply".

Additional Identifiers

Rule ID: SV-214475r879673_rule

Vulnerability ID: V-214475

Group Title: SRG-APP-000295-WSR-000134

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002361

The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-12

Session Termination