IG1 IG2 IG3

Configure Automatic Session Locking on Enterprise Assets

Control Group: 4. Secure Configuration of Enterprise Assets and Software

Asset Type: Users

Security Function: Protect

Description

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

Microsoft Intune Gartner MQ Leader, UEM 2024

Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android

Microsoft · Per-user/per-device subscription

VMware Workspace ONE Gartner MQ Leader, UEM 2024

Digital workspace platform combining UEM with virtual app delivery and zero-trust access for endpoint management

Broadcom (VMware) · Per-device subscription

Qualys Policy Compliance Gartner MQ Leader, Vulnerability Management 2024

Cloud-based configuration assessment and compliance platform with CIS Benchmark support and continuous monitoring

Qualys · Per-asset subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Unauthorized Physical Access to Unlocked Workstation

Confidentiality

An attacker or malicious insider accesses sensitive data, installs malware, or executes commands on an unattended workstation that never locked due to missing auto-lock configuration.

Shoulder Surfing and Session Hijacking

Confidentiality

In shared office spaces or public locations, unlocked idle sessions expose sensitive data on screen and allow passersby to interact with authenticated application sessions.

Vulnerabilities (When Safeguard Absent)

No Automatic Session Locking on Idle Devices

Without configured automatic session locking, unattended devices remain logged in indefinitely, granting physical access equal to authenticated user access.

Inconsistent Lock Timeout Across Device Types

Without standardized lock policies, some devices lock after minutes while others never lock, creating inconsistent protection that users cannot rely on.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Related Safeguards in Control 4

4.1 Establish and Maintain a Secure Configuration Process

4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

4.4 Implement and Manage a Firewall on Servers

4.5 Implement and Manage a Firewall on End>User Devices

4.6 Securely Manage Enterprise Assets and Software

4.7 Manage Default Accounts on Enterprise Assets and Software

4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

4.9 Configure Trusted DNS Servers on Enterprise Assets

4.10 Enforce Automatic Device Lockout on Portable End>User Devices

4.11 Enforce Remote Wipe Capability on Portable End>User Devices

4.12 Separate Enterprise Workspaces on Mobile End>User Devices