CCI-000054

Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number.

1 rule found Severity: Medium

33 rules found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

4 rules found Severity: Medium

2 rules found Severity: Medium

2 rules found Severity: Low

2 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Low

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

3 rules found Severity: Medium

4 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

3 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

2 rules found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

2 rules found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

CCI-000054

The DoD Root Certificate Exists

Enable Shared System Certificates

Limit the Number of Concurrent Login Sessions Allowed Per User

Compliance Guardian must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

The CA API Gateway providing user access control intermediary services must limit users to two concurrent sessions.

Delivery Controller must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

The application must limit the number of concurrent sessions to three.

The Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types.

The FortiGate device must limit the number of logon and user sessions.

CounterACT must limit the number of concurrent sessions to an organization-defined number for each administrator account type.

Infoblox systems that perform zone transfers to non-Grid DNS servers must limit the number of concurrent sessions for zone transfers.

The Infoblox system must limit the number of concurrent client connections to the number of allowed dynamic update clients.

IBM Aspera Console must prevent concurrent logins for all accounts.

IBM Aspera Faspex must prevent concurrent logins for all accounts.

The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.

The WebSphere Application Server maximum in-memory session count must be set according to application requirements.

The Ivanti MobileIron Core server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.

MobileIron Sentry must limit the number of concurrent sessions for the CLISH interface to an organization-defined number for each administrator account and/or administrator account type.

MobileIron Sentry must be configured to limit the network access of the Sentry System Manager Portal behind the corporate firewall and whitelist source IP range.

The ISEC7 EMM Suite must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

The number of concurrent SQL Server sessions for each system account must be limited.

The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.

Nutanix AOS must limit the number of concurrent sessions to ten for all accounts and/or account types.

OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.

OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.

OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.

OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests.

OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.

OHS must capture, record, and log all content related to a user session.

Riverbed Optimization System (RiOS) must limit the number of concurrent sessions to one (1) for each administrator account and/or administrator account type.

The Samsung SDS EMM must limit the number of concurrent sessions to one session for all accounts and/or account types.

The Tanium max_soap_sessions_total setting must be explicitly enabled to limit the number of simultaneous sessions.

The Tanium max_soap_sessions_per_user setting must be explicitly enabled to limit the number of simultaneous sessions.

The Tanium soap_max_keep_alive setting must be explicitly enabled to limit the number of simultaneous sessions.

The Tanium Operating System (TanOS) must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.

MongoDB must limit the total number of concurrent connections to the database.

The DBMS must limit the number of concurrent sessions for each system account to an organization-defined number of sessions.

The DBMS must protect against or limit the effects of the organization-defined types of Denial of Service (DoS) attacks.

PostgreSQL must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.

The EDB Postgres Advanced Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

The F5 BIG-IP appliance must be configured to set the "Max In Progress Sessions per Client IP" value to 10 or less.

The BIG-IP appliance must limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.

The BIG-IP Core implementation must be configured to limit the number of concurrent sessions to an organization-defined number for virtual servers.

The number of allowed simultaneous sessions to the manager application must be limited.

The BIND 9.x secondary name server must limit the number of zones requested from a single master name server.

The BIND 9.x secondary name server must limit the total number of zones the name server can request at any one time.

The BIND 9.x server implementation must limit the number of concurrent session client connections to the number of allowed dynamic update clients.

A BIND 9.x master name server must limit the number of concurrent zone transfers between authorized secondary name servers.

For interactive sessions, IDMS must limit the number of concurrent sessions for the same user to one or allow unlimited sessions.

The DBMS must develop a procedure to limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number.

The DNS implementation must limit the number of concurrent sessions for zone transfers to the number of secondary name servers.

The DNS implementation must limit the number of concurrent sessions client connections to the number of allowed dynamic update clients.

The Enterprise Voice, Video, and Messaging Endpoint must be configured to limit the number of concurrent sessions to an organizationally defined number.

The F5 BIG-IP appliance must be configured to set the "Max In Progress Sessions per Client IP" value to 10 or an organizational-defined number.

The Enterprise Voice, Video, and Messaging Session Manager must limit the number of concurrent management sessions to an organizationally defined limit.

The F5 BIG-IP appliance must be configured to limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.

SSMC web server must limit the number of allowed simultaneous session requests.

The HPE Nimble must limit the number of concurrent sessions to an organization-defined number for each administrator account.

AIX must limit the number of concurrent sessions to 10 for all accounts and/or account types.

The ISEC7 SPHERE must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

Sentry must limit the number of concurrent sessions for the CLISH interface to an organization-defined number for each administrator account and/or administrator account type.

Sentry must be configured to limit the network access of the Sentry System Manager Portal behind the corporate firewall and whitelist source IP range.

The ICS must be configured to limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.

The ICS must be configured to limit the number of concurrent sessions for user accounts to one.

The Ivanti EPMM server must limit the number of concurrent sessions per privileged user account to three or less concurrent sessions.

The Juniper EX switch must be configured to limit the number of concurrent management sessions to 10 or an organization-defined value.

MarkLogic Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

The IIS 10.0 websites MaxConnections setting must be configured to limit the number of allowed simultaneous session requests.

The IIS 10.0 website session state must be enabled.

The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.

The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.

The network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.

The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.

MySQL Database Server 8.0 must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.