Level 2
Description:
Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined, typically at the operating system level (but can also be at the application level). Session locks are not an acceptable substitute for logging out of the system, for example, if organizations require users to log out at the end of the workday. Pattern-hiding displays can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey controlled unclassified information.
Priority: Medium
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- AWS Work Spaces, Amazon App Stream 2.0
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Virtual Desktop
- Azure Security Center
- Azure Monitor
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screen shot of configuration settings
Possible Technology Considerations:
- Secure Baseline Configurations (SBC)
What needs to be answered:
Do computers lock after being idle?
Checks for AWS
- Ensure Implementation of Session Lock
Description: This check verifies that session locks are implemented to secure the system when users stop work and move away from the immediate vicinity of the system but do not want to log out. - Validate Usage of Session Lock vs. System Log Out
Description: This check confirms that session locks are not being used as a substitute for logging out of the system when required, such as at the end of the workday. - Check Implementation of Pattern-Hiding Displays
Description: This check ensures that pattern-hiding displays, which can include static or dynamic images that do not convey controlled unclassified information, are used in conjunction with session locks.
Checks for Azure
- Ensure Implementation of Session Lock in Azure Virtual Desktop
Description: This check verifies that session locks are implemented in Azure Virtual Desktop to secure the system when users stop work and move away from the immediate vicinity of the system but do not want to log out. - Validate Usage of Session Lock vs. System Log Out in Azure Virtual Desktop
Description: This check confirms that session locks are not being used as a substitute for logging out of the system in Azure Virtual Desktop when required, such as at the end of the workday. - Check Implementation of Pattern-Hiding Displays in Azure Virtual Desktop
Description: This check ensures that pattern-hiding displays, which can include static or dynamic images that do not convey controlled unclassified information, are used in conjunction with session locks in Azure Virtual Desktop. - Ensure Implementation of Session Lock in Azure App Service
Description: This check verifies that session locks are implemented in Azure App Service to secure the system when users stop work and move away from the immediate vicinity of the system but do not want to log out. - Validate Usage of Session Lock vs. System Log Out in Azure App Service
Description: This check confirms that session locks are not being used as a substitute for logging out of the system in Azure App Service when required, such as at the end of the workday. - Check Implementation of Pattern-Hiding Displays in Azure App Service
Description: This check ensures that pattern-hiding displays, which can include static or dynamic images that do not convey controlled unclassified information, are used in conjunction with session locks in Azure App Service.
More Details: Access to systems containing CUI logs off automatically after 15 minutes of inactivity.