NIST 800-53 REV 5 • ACCESS CONTROL

AC-10Concurrent Session Control

Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.

Practitioner Notes

Concurrent session control limits how many sessions a user can have open at the same time. This prevents credential sharing and makes it harder for an attacker to use stolen credentials alongside the legitimate user.

Example 1: On your Remote Desktop servers, configure the GPO at Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections → "Restrict Remote Desktop Services users to a single Remote Desktop Services session" to Enabled.

Example 2: In your web application, implement server-side session management that invalidates the oldest session when a user logs in from a new device. Most identity providers (Azure AD, Okta) support configuring maximum concurrent sessions through token policies.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management