Documentation - V-271263

Title

SQL Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

Description

<VulnDiscussion>Database management includes the ability to control the number of users and user sessions using a DBMS. Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. ...

Fix Text (Documentation Requirement)

If a trigger consumes too much CPU, an example alternative method for limiting the concurrent users is setting the max connection limit on SQL Server. In SQL Server Management Studio's Object Explorer tree, right-click on the Server Name >> Properties >> Connections Tab >> Set the Maximum Number of Concurrent Connections to a value other than 0 (0 = unlimited), and document it. OR Run the query: EXEC sys.sp_configure N'user connections','5000' /* this is an example max limit */ GO RECONFIGURE WITH OVERRIDE GO Restart SQL Server for the setting to take effect. Reference: https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option? Otherwise, establish the limit(s) appropriate to the type(s) of user account accessi...