V-224979
CAT IIIThe directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
- Ships Affected
- 1
- Total Findings
- 8
- Open
- 1
- Closed
- 0
Check Text
This applies to domain controllers. It is NA for other systems.
Open an elevated "Command Prompt" (run as administrator).
Enter "ntdsutil".
At the "ntdsutil:" prompt, enter "LDAP policies".
At the "ldap policy:" prompt, enter "connections".
At the "server connections:" prompt, enter "connect to server [host-name]"
(where [host-name] is the computer name of the domain controller).
At the "server connections:" prompt, enter "q".
At the "ldap policy:" prompt, enter "show values".
If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding.
Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
Alternately, Dsquery can be used to display MaxConnIdleTime:
Open "Command Prompt (Admin)".
Enter the following command (on a single line).
dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits
The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).
If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.
Fix Text
Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
Open an elevated "Command prompt" (run as administrator).
Enter "ntdsutil".
At the "ntdsutil:" prompt, enter "LDAP policies".
At the "ldap policy:" prompt, enter "connections".
At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller).
At the "server connections:" prompt, enter "q".
At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300".
Enter "Commit Changes" to save.
Enter "Show values" to verify changes.
Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
STIG Reference
- STIG
- Microsoft Windows Server 2016 Security Technical Implementation Guide
- Version
- 2
- Release
- 10
- Rule ID
- SV-224979r970703_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl | Unassigned | 2026-01-14T12:57:42.721079 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl | Unassigned | 2026-01-14T12:57:41.363810 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl | Unassigned | 2026-01-14T12:57:39.082634 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl | Unassigned | 2026-01-14T12:57:37.248886 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl | Unassigned | 2026-01-14T12:57:35.637816 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl | Unassigned | 2026-01-14T12:57:33.842838 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl | Unassigned | 2026-01-14T12:57:31.534241 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl | Unassigned | 2026-01-14T12:57:30.046447 | View in Context |