Details
If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
Rationale:
This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.
Impact:
Organizations should prevent unauthorized use of unattended or abandoned sessions by an automated control. Enabling ‘exec-timeout’ with an appropriate length reduces the risks of unauthorized access of abandoned sessions.
Solution
Configure device timeout (10 minutes or less) to disconnect sessions after a fixed idle time.
hostname(config)#line tty {line_number} [ending_line_number]
hostname(config-line)#exec-timeout
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Cisco.