last sync: 2024-Oct-11 17:51:27 UTC

Reauthenticate or terminate a user session | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Reauthenticate or terminate a user session
Id d6653f89-7cb5-24a4-9d71-51581038231b
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0421 - Reauthenticate or terminate a user session
Additional metadata Name/Id: CMA_0421 / CMA_0421
Category: Operational
Title: Reauthenticate or terminate a user session
Ownership: Customer
Description: Microsoft recommends that your organization automatically terminates a user session upon predefined scenarios, such as inactivity, exceeding allowed number of concurrent sessions, or other organization-defined conditions. When terminating the user session, your organization may display a logout message to users to signify the secure termination. It is recommended that your organization determine reauthentication time intervals according to authenticator assurance levels (AAL). NIST 800-63 provides the following guidelines: - AAL1: Reauthentication of a user is repeated at least once per 30 days during an extended usage session - AAL2: Reauthentication of a user occurs every 12 hours during an extended usage session or after 30 minutes of inactivity - AAL3: Reauthentication of a user occurs every 12 hours during an extended usage session or after 15 minutes of inactivity. Microsoft recommends that your organization implement the use of session secrets to bind the session between the software that is being run by the subscriber and your organization. This will allow the subscriber to continue to have an active session and protect the session from unauthorized connections. NIST 800-63B states that the secret should be presented directly by the subscriber's software or possession of the secret should be proven using a cryptographic mechanism. It is recommended that the secret is generated by your organization, as the session host, in response to an authentication event. It is also recommended that the session possess the Authentication Assurance Level (AAL) characteristics of the authentication of the authentication event. We recommend ensuring that the session secret meet regulatory and organizational requirements. Additionally, it is recommended that systems: - Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources] and - Display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 17 compliance controls are associated with this Policy definition 'Reauthenticate or terminate a user session' (d6653f89-7cb5-24a4-9d71-51581038231b)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 SC-10 FedRAMP_High_R4_SC-10 FedRAMP High SC-10 System And Communications Protection Network Disconnect Shared n/a The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. Control Enhancements: None. References: None. link 1
FedRAMP_Moderate_R4 SC-10 FedRAMP_Moderate_R4_SC-10 FedRAMP Moderate SC-10 System And Communications Protection Network Disconnect Shared n/a The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. Control Enhancements: None. References: None. link 1
hipaa 11126.01t1Organizational.12-01.t hipaa-11126.01t1Organizational.12-01.t 11126.01t1Organizational.12-01.t 11 Access Control 11126.01t1Organizational.12-01.t 01.05 Operating System Access Control Shared n/a A time-out mechanism (e.g., a screen saver) pauses the session screen after 15 minutes of inactivity, closes network sessions after 30 minutes of inactivity, and requires the user to reestablish authenticated access once the session has been paused or closed; or, if the system cannot be modified, a limited form of time-out that clears the screen but does not close down the application or network sessions is used. 1
ISO27001-2013 A.13.1.1 ISO27001-2013_A.13.1.1 ISO 27001:2013 A.13.1.1 Communications Security Network controls Shared n/a Networks shall be managed and controlled to protect information in systems and applications. link 40
mp.com.2 Protection of confidentiality mp.com.2 Protection of confidentiality 404 not found n/a n/a 55
mp.com.3 Protection of integrity and authenticity mp.com.3 Protection of integrity and authenticity 404 not found n/a n/a 62
mp.com.4 Separation of information flows on the network mp.com.4 Separation of information flows on the network 404 not found n/a n/a 51
NIST_SP_800-171_R2_3 .13.9 NIST_SP_800-171_R2_3.13.9 NIST SP 800-171 R2 3.13.9 System and Communications Protection Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses link 1
NIST_SP_800-53_R4 SC-10 NIST_SP_800-53_R4_SC-10 NIST SP 800-53 Rev. 4 SC-10 System And Communications Protection Network Disconnect Shared n/a The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. Control Enhancements: None. References: None. link 1
NIST_SP_800-53_R5 SC-10 NIST_SP_800-53_R5_SC-10 NIST SP 800-53 Rev. 5 SC-10 System and Communications Protection Network Disconnect Shared n/a Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. link 1
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
op.exp.2 Security configuration op.exp.2 Security configuration 404 not found n/a n/a 112
op.exp.3 Security configuration management op.exp.3 Security configuration management 404 not found n/a n/a 123
op.ext.4 Interconnection of systems op.ext.4 Interconnection of systems 404 not found n/a n/a 68
op.pl.2 Security Architecture op.pl.2 Security Architecture 404 not found n/a n/a 65
org.4 Authorization process org.4 Authorization process 404 not found n/a n/a 126
SWIFT_CSCF_v2022 2.6 SWIFT_CSCF_v2022_2.6 SWIFT CSCF v2022 2.6 2. Reduce Attack Surface and Vulnerabilities Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications Shared n/a The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded. link 17
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add d6653f89-7cb5-24a4-9d71-51581038231b
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC