AOS must limit the number of concurrent sessions to a maximum of three for each administrator account and/or administrator account type.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-266903 | SRG-APP-000001-NDM-000200 | ARBA-ND-000200 | SV-266903r1039730_rule | 2024-10-29 | 1 |
| Description |
|---|
| Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator based on account type, role, or access type is helpful in limiting risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system. At a minimum, limits must be set for Secure Shell (SSH), Hypertext Transfer Protocol Secure (HTTPS), and account of last resort. |
| ℹ️ Check |
|---|
| Verify the AOS configuration with the following command: show mgmt-user admin If "Max-concurrent-sessions" is not set to "3", this is a finding. |
| ✔️ Fix |
|---|
| Configure AOS with the following commands: configure terminal mgmt-user admin root max-concurrent-sessions 3 Enter the admin's password Reenter the admin's password write memory |