Title: The DBMS must limit the number of concurrent sessions for each system account to an organization defined number of sessions.
Vulnerability ID: V-32157
IA Controls: None
Description: Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in limiting risks related to Denial of Service attacks.
This requirement addresses concurrent session control for a single information system account and does not address concurrent sessions by a single user via multiple system accounts.
This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application.
The organization will need to define the maximum number of concurrent sessions for an information system account globally, by account type, by account, or a combination thereof and the application shall enforce that requirement.
Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources.
Check Text: Review settings for concurrent sessions in the DBMS. If the DBMS settings for concurrent sessions for each system account are not lower than or equal to the organization-defined maximum number of sessions, this is a finding.
Fix Text: Limit concurrent connections for each system account to a number less than or equal to the organization defined number of sessions.
SQL Server can restrict the number of connections from a user to the system. The basics setting is located in the properties dialog of the instance name. in SSMS right click on the server name and select properties, then connections. The “Maximum number of concurrent connection (0 = unlimited)” value determines the number of users that can connect to the SQL Server at a given time. IN general this is self managing, but in some situations it may have to be set to a fixed number to ensure not more than X number of people can connect to the server at one time.
As for the user themselves, the number of connections a specific UID or database can have can be limited using Server logon trigger to check if a connection exists for that UID, and if so deny further login.
A very simple example of a trigger would be something along these lines:
CREATE TRIGGER limit_connections_trigger
ON ALL SERVER
IF (SELECT * FROM sys.dm_exec_sessions
WHERE is_user_process = 1 AND
original_login_name = ORIGINAL_LOGIN()) > 2
*Note – This trigger is only an example. Other conditions may need to be checked, and the number of logins being counted may be adjusted (I used 2 since I Have an active connection, and RedGate tools running on my test server)
This trigger can also be expanded on to include a log of failed multiple logins, or even to have a table driven list of logins that are restricted rather than all logins being restricted.