last sync: 2024-Dec-05 18:53:22 UTC

Terminate user session automatically | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Terminate user session automatically
Id 4502e506-5f35-0df4-684f-b326e3cc7093
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1054 - Terminate user session automatically
Additional metadata Name/Id: CMA_C1054 / CMA_C1054
Category: Operational
Title: Terminate user session automatically
Ownership: Customer
Description: The customer is responsible for defining and enforcing events or conditions requiring the termination of a user session on customer-deployed resources.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 16 compliance controls are associated with this Policy definition 'Terminate user session automatically' (4502e506-5f35-0df4-684f-b326e3cc7093)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
CIS_Azure_1.1.0 3.4 CIS_Azure_1.1.0_3.4 CIS Microsoft Azure Foundations Benchmark recommendation 3.4 3 Storage Accounts Ensure that shared access signature tokens expire within an hour Shared The customer is responsible for implementing this recommendation. Expire shared access signature tokens within an hour. link 3
CIS_Azure_1.3.0 3.4 CIS_Azure_1.3.0_3.4 CIS Microsoft Azure Foundations Benchmark recommendation 3.4 3 Storage Accounts Ensure that shared access signature tokens expire within an hour Shared The customer is responsible for implementing this recommendation. Expire shared access signature tokens within an hour. link 3
CIS_Azure_1.4.0 3.4 CIS_Azure_1.4.0_3.4 CIS Microsoft Azure Foundations Benchmark recommendation 3.4 3 Storage Accounts Ensure that Shared Access Signature Tokens Expire Within an Hour Shared The customer is responsible for implementing this recommendation. Expire shared access signature tokens within an hour. link 3
CIS_Azure_2.0.0 3.6 CIS_Azure_2.0.0_3.6 CIS Microsoft Azure Foundations Benchmark recommendation 3.6 3 Ensure that Shared Access Signature Tokens Expire Within an Hour Shared n/a Expire shared access signature tokens within an hour. A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour. link 3
FedRAMP_High_R4 AC-12 FedRAMP_High_R4_AC-12 FedRAMP High AC-12 Access Control Session Termination Shared n/a The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. Supplemental Guidance: This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23. References: None. link 1
FedRAMP_Moderate_R4 AC-12 FedRAMP_Moderate_R4_AC-12 FedRAMP Moderate AC-12 Access Control Session Termination Shared n/a The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. Supplemental Guidance: This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23. References: None. link 1
hipaa 1114.01h1Organizational.123-01.h hipaa-1114.01h1Organizational.123-01.h 1114.01h1Organizational.123-01.h 11 Access Control 1114.01h1Organizational.123-01.h 01.03 User Responsibilities Shared n/a Covered or critical business information is not left unattended or available for unauthorized individuals to access, including on desks, printers, copiers, fax machines, and computer monitors. 2
ISO27001-2013 A.11.2.8 ISO27001-2013_A.11.2.8 ISO 27001:2013 A.11.2.8 Physical And Environmental Security Unattended user equipment Shared n/a Users shall ensure that unattended equipment has appropriate protection. link 2
ISO27001-2013 A.9.4.2 ISO27001-2013_A.9.4.2 ISO 27001:2013 A.9.4.2 Access Control Secure log-on procedures Shared n/a Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. link 17
NIST_SP_800-171_R2_3 .1.11 NIST_SP_800-171_R2_3.1.11 NIST SP 800-171 R2 3.1.11 Access Control Terminate (automatically) a user session after a defined condition. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on system use. link 1
NIST_SP_800-53_R4 AC-12 NIST_SP_800-53_R4_AC-12 NIST SP 800-53 Rev. 4 AC-12 Access Control Session Termination Shared n/a The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. Supplemental Guidance: This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23. References: None. link 1
NIST_SP_800-53_R5 AC-12 NIST_SP_800-53_R5_AC-12 NIST SP 800-53 Rev. 5 AC-12 Access Control Session Termination Shared n/a Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. link 1
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.acc.5 Authentication mechanism (external users) op.acc.5 Authentication mechanism (external users) 404 not found n/a n/a 72
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
PCI_DSS_v4.0 8.2.8 PCI_DSS_v4.0_8.2.8 PCI DSS v4.0 8.2.8 Requirement 08: Identify Users and Authenticate Access to System Components User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle Shared n/a If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. link 2
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-02 16:33:37 add 4502e506-5f35-0df4-684f-b326e3cc7093
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC