Steve’s Thoughts
My girlfriend asks me this question almost every time we leave our home. Why, you ask? Because I’ve forgotten my keys more often than I should and then been locked out. This happens because our front door automatically locks when we leave as a safety precaution. Maybe I need to replace my Ted Lasso “BELIEVE” sign with a “Do you BELIEVE you have your keys?” sign.
Automatic session locking is a security feature that automatically locks a user's session on an enterprise asset, such as a computer or mobile device, after a specified period of inactivity. Just as locking the front door of a home acts as a deterrent for potential intruders, enabling session locking ensures that unauthorized individuals cannot access a user's digital workspace. It adds an extra layer of protection by requiring authentication, such as a password or biometric verification, to regain access to the session.
Configuring automatic session locking on enterprise assets after a defined period of inactivity is a crucial security measure that helps protect sensitive data and mitigate the risk of unauthorized access. By implementing session locking best practices, organizations can bolster their security posture, comply with regulatory requirements, and foster a security-conscious culture among employees. Remember, an effective security strategy combines technical controls with user awareness and adherence to best practices.
Bryon’s Thoughts
CIS Safeguard 4.3 places emphasis on the implementation of automatic session locking for enterprise assets. This safeguard entails configuring systems to automatically lock user sessions after a designated period of inactivity. The purpose of this security measure is to protect against unauthorized access and mitigate potential risks when devices are left unattended. By implementing automatic session locking, we enhance our organization's overall security posture and minimize the likelihood of data breaches, internal threats, and other detrimental security incidents.
The recommended idle timeout durations for configuring automatic session locking on enterprise assets after a defined period of inactivity can vary depending on the organization's requirements. Here are some general recommendations:
- Workstations and Laptops:
- It is advisable to set an idle timeout duration of 5 to 15 minutes for desktop workstations and laptops. This means that if a user remains inactive for the specified duration, the session will automatically lock, requiring the user to authenticate again to regain access.
- Servers and Critical Systems:
- For servers and critical systems, a longer idle timeout duration of 15 to 30 minutes is typically recommended. However, organizations should consider factors such as the sensitivity of the accessed data and the potential risk associated with unauthorized access when determining the appropriate duration.
- Mobile Devices:
- Mobile devices, such as smartphones and tablets, require a shorter idle timeout duration due to their portability and higher risk of loss or theft. It is recommended to set an idle timeout duration of 1 to 5 minutes for mobile devices.
These recommendations serve as a starting point. Organizations should evaluate their specific security needs, compliance requirements, and user convenience when setting the idle timeout durations. It may be necessary to establish different session locking times based on user roles or departments, considering their access privileges and associated risks.
Regular review and assessment of the configured idle timeout durations are essential to ensure they remain effective in mitigating security risks and align with the organization's evolving needs and industry best practices.
Here’s a link to a Secure Configuration Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/secure-configuration-management-for-cis-control-4
Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 4 – Secure Configuration of Enterprise Assets & Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software
(operating systems and applications).
Implementation Group 1
CIS Safeguard 4.3 - Configure Automatic Session Locking on Enterprise Assets
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.