NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-10 — Network Disconnect
Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.
Supplemental Guidance
Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.
Practitioner Notes
Network sessions should automatically disconnect after a period of inactivity or at the end of a session. Idle connections are an invitation for session hijacking.
Example 1: Configure your VPN gateway to disconnect idle sessions after 30 minutes of inactivity. In Cisco AnyConnect, set the "idle timeout" to 1800 seconds. Users must re-authenticate to reconnect.
Example 2: Use a GPO to set RDP session timeouts. Under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Session Time Limits, set idle session limits to 15-30 minutes and disconnected session limits to end the session after 1 hour.