DoD STIGs – V-32157

STIGs Image


Title: The DBMS must limit the number of concurrent sessions for each system account to an organization defined number of sessions.

Vulnerability ID: V-32157


IA Controls: None

Severity: medium

Description: Application management includes the ability to control the number of users and user sessions utilizing an application. Limiting the number of allowed users, and sessions per user, is helpful in limiting risks related to Denial of Service attacks.

This requirement addresses concurrent session control for a single information system account and does not address concurrent sessions by a single user via multiple system accounts.

This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application.

The organization will need to define the maximum number of concurrent sessions for an information system account globally, by account type, by account, or a combination thereof and the application shall enforce that requirement.

Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources.

Check Text: Review settings for concurrent sessions in the DBMS. If the DBMS settings for concurrent sessions for each system account are not lower than or equal to the organization-defined maximum number of sessions, this is a finding.

Fix Text: Limit concurrent connections for each system account to a number less than or equal to the organization defined number of sessions.

Interpreting V-32157:

SQL Server can restrict the number of connections from a user to the system. The basics setting is located in the properties dialog of the instance name. in SSMS right click on the server name and select properties, then connections. The “Maximum number of concurrent connection (0 = unlimited)” value determines the number of users that can connect to the SQL Server at a given time. IN general this is self managing, but in some situations it may have to be set to a fixed number to ensure not more than X number of people can connect to the server at one time.

As for the user themselves, the number of connections a specific UID or database  can have can be limited using Server logon trigger to check if a connection exists for that UID, and if so deny further login.

A very simple example of a trigger would be something along these lines:

*Note – This trigger is only an example. Other conditions may need to be checked, and the number of logins being counted may be adjusted (I used 2 since I Have an active connection, and RedGate tools running on my test server)

This trigger can also be expanded on to include a log of failed multiple logins, or even to have a table driven list of logins that are restricted rather than all logins being restricted.

Return to the DoD STIGs – Database Security Requirements Guide

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.