Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.

An XCCDF Rule

Description

The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.

ID: SV-205726r970703_rule
Version: WN19-DC-000160
Severity: Low
References: CCI-001133
Updated: 6 days ago

Remediation Templates

Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.

Open an elevated "Command prompt" (run as administrator).

Enter "ntdsutil".
At the "ntdsutil:" prompt, enter "LDAP policies".

At the "ldap policy:" prompt, enter "connections".

At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller).

At the "server connections:" prompt, enter "q".

At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300".

Enter "Commit Changes" to save.

Enter "Show values" to verify changes.

Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.

Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.

Description

Remediation Templates

A Manual Procedure