AzPolicyAdvertizer

last sync: 2024-Sep-18 17:50:24 UTC

Reauthenticate or terminate a user session | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Reauthenticate or terminate a user session

d6653f89-7cb5-24a4-9d71-51581038231b

Version

1.1.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]

Category

Regulatory Compliance
Microsoft Learn

Description

CMA_0421 - Reauthenticate or terminate a user session

Additional metadata

Name/Id: CMA_0421 / CMA_0421
Category: Operational
Title: Reauthenticate or terminate a user session
Ownership: Customer
Description: Microsoft recommends that your organization automatically terminates a user session upon predefined scenarios, such as inactivity, exceeding allowed number of concurrent sessions, or other organization-defined conditions. When terminating the user session, your organization may display a logout message to users to signify the secure termination. It is recommended that your organization determine reauthentication time intervals according to authenticator assurance levels (AAL). NIST 800-63 provides the following guidelines: - AAL1: Reauthentication of a user is repeated at least once per 30 days during an extended usage session - AAL2: Reauthentication of a user occurs every 12 hours during an extended usage session or after 30 minutes of inactivity - AAL3: Reauthentication of a user occurs every 12 hours during an extended usage session or after 15 minutes of inactivity. Microsoft recommends that your organization implement the use of session secrets to bind the session between the software that is being run by the subscriber and your organization. This will allow the subscriber to continue to have an active session and protect the session from unauthorized connections. NIST 800-63B states that the secret should be presented directly by the subscriber's software or possession of the secret should be proven using a cryptographic mechanism. It is recommended that the secret is generated by your organization, as the session host, in response to an authentication event. It is also recommended that the session possess the Authentication Assurance Level (AAL) characteristics of the authentication of the authentication event. We recommend ensuring that the session secret meet regulatory and organizational requirements. Additionally, it is recommended that systems: - Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources] and - Display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.
Requirements: The customer is responsible for implementing this recommendation.

Mode

All

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Manual
Allowed
Manual, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (1)
Microsoft.Resources/subscriptions

Compliance

The following 17 compliance controls are associated with this Policy definition 'Reauthenticate or terminate a user session' (d6653f89-7cb5-24a4-9d71-51581038231b)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
FedRAMP_High_R4	SC-10	FedRAMP_High_R4_SC-10	FedRAMP High SC-10	System And Communications Protection	Network Disconnect	Shared	n/a	The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. Control Enhancements: None. References: None.	link	1
FedRAMP_Moderate_R4	SC-10	FedRAMP_Moderate_R4_SC-10	FedRAMP Moderate SC-10	System And Communications Protection	Network Disconnect	Shared	n/a	The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. Control Enhancements: None. References: None.	link	1
hipaa	11126.01t1Organizational.12-01.t	hipaa-11126.01t1Organizational.12-01.t	11126.01t1Organizational.12-01.t	11 Access Control	11126.01t1Organizational.12-01.t 01.05 Operating System Access Control	Shared	n/a	A time-out mechanism (e.g., a screen saver) pauses the session screen after 15 minutes of inactivity, closes network sessions after 30 minutes of inactivity, and requires the user to reestablish authenticated access once the session has been paused or closed; or, if the system cannot be modified, a limited form of time-out that clears the screen but does not close down the application or network sessions is used.		1
ISO27001-2013	A.13.1.1	ISO27001-2013_A.13.1.1	ISO 27001:2013 A.13.1.1	Communications Security	Network controls	Shared	n/a	Networks shall be managed and controlled to protect information in systems and applications.	link	40
	mp.com.2 Protection of confidentiality	mp.com.2 Protection of confidentiality	404 not found				n/a	n/a		55
	mp.com.3 Protection of integrity and authenticity	mp.com.3 Protection of integrity and authenticity	404 not found				n/a	n/a		62
	mp.com.4 Separation of information flows on the network	mp.com.4 Separation of information flows on the network	404 not found				n/a	n/a		51
NIST_SP_800-171_R2_3	.13.9	NIST_SP_800-171_R2_3.13.9	NIST SP 800-171 R2 3.13.9	System and Communications Protection	Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.	Shared	Microsoft and the customer share responsibilities for implementing this requirement.	This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and include time periods by type of network access or for specific network accesses	link	1
NIST_SP_800-53_R4	SC-10	NIST_SP_800-53_R4_SC-10	NIST SP 800-53 Rev. 4 SC-10	System And Communications Protection	Network Disconnect	Shared	n/a	The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. Control Enhancements: None. References: None.	link	1
NIST_SP_800-53_R5	SC-10	NIST_SP_800-53_R5_SC-10	NIST SP 800-53 Rev. 5 SC-10	System and Communications Protection	Network Disconnect	Shared	n/a	Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.	link	1
	op.acc.6 Authentication mechanism (organization users)	op.acc.6 Authentication mechanism (organization users)	404 not found				n/a	n/a		78
	op.exp.2 Security configuration	op.exp.2 Security configuration	404 not found				n/a	n/a		112
	op.exp.3 Security configuration management	op.exp.3 Security configuration management	404 not found				n/a	n/a		123
	op.ext.4 Interconnection of systems	op.ext.4 Interconnection of systems	404 not found				n/a	n/a		68
	op.pl.2 Security Architecture	op.pl.2 Security Architecture	404 not found				n/a	n/a		65
	org.4 Authorization process	org.4 Authorization process	404 not found				n/a	n/a		126
SWIFT_CSCF_v2022	2.6	SWIFT_CSCF_v2022_2.6	SWIFT CSCF v2022 2.6	2. Reduce Attack Surface and Vulnerabilities	Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote (operated by a service provider) SWIFT infrastructure or service provider SWIFT-related applications	Shared	n/a	The confidentiality and integrity of interactive operator sessions that connect to service provider SWIFT-related applications or into the secure zone are safeguarded.	link	17

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
FedRAMP High	d5264498-16f4-418a-b659-fa7ef418175f	Regulatory Compliance	GA	BuiltIn
FedRAMP Moderate	e95f5a9f-57ad-4d03-bb0b-b1d16db93693	Regulatory Compliance	GA	BuiltIn
HITRUST/HIPAA	a169a624-5599-4385-a696-c8d643089fab	Regulatory Compliance	GA	BuiltIn
ISO 27001:2013	89c6cddc-1c73-4ac1-b19c-54d1a15a42f2	Regulatory Compliance	GA	BuiltIn
NIST SP 800-171 Rev. 2	03055927-78bd-4236-86c0-f36125a10dc9	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 4	cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f	Regulatory Compliance	GA	BuiltIn
NIST SP 800-53 Rev. 5	179d1daa-458f-4e47-8086-2a68d0d6c38f	Regulatory Compliance	GA	BuiltIn
Spain ENS	175daf90-21e1-4fec-b745-7b4c909aa94c	Regulatory Compliance	GA	BuiltIn
SWIFT CSP-CSCF v2022	7bc7cd6c-4114-ff31-3cac-59be3157596d	Regulatory Compliance	GA	BuiltIn

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-09-27 16:35:32	change	Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29	add	d6653f89-7cb5-24a4-9d71-51581038231b

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC