8

From NIST SP 800-53, Rev. 3:

SC-10 NETWORK DISCONNECT

Control: The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

I'm aware that a session lock (also required, in AC-11) can be applied to RDP sessions on Windows boxes through the local security policy, but I haven't found a policy that covers actual disconnect. Can this be done via a registry key or some other method?

Community
  • 1
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • are you looking to do this in code? If that's the case, Stackoverflow may be the better place to ask the question. Or are you looking for an automatic disconnect similar to auto-locking the workstation? If so, writing a replacement GINA may be the way to go. However, one more thing: I was under the impression that Windows already supports that. Of course on Windows 2000 the separation between the Terminal Services product and the others still existed. XP contains Terminal Services even though it's a client OS. Maybe you can try to clarify these points. – 0xC0000022L Mar 12 '11 at 14:21

2 Answers2

3

I'm unsure whether this is the policy you're looking for, but perhaps it just slipped your attention. On the server side (this is Windows 2003) you have this:

Session configuration dialog

It allows you to define the settings for the RDP sessions over network.

Otherwise it's possible this is what you are looking for. I left a comment on your question, perhaps you can clarify there if this is not what you're looking for.

0xC0000022L
  • 1,604
  • 2
  • 15
  • 20
  • This screen looks like it has the options I'm after. Is there a Registry key or GPO that I can use to enforce this? – Iszi Mar 12 '11 at 15:35
  • @Iszi: See the link below the image. However, this seems to be limited to XP onwards (including 2003, but without 2000). But [this](http://technet.microsoft.com/en-us/library/cc772398(WS.10).aspx) suggests that the settings may apply to 2000 as well. – 0xC0000022L Mar 12 '11 at 16:39
  • Oh, I just realized I should have said XP/2003, not 2000. Thanks. – Iszi Mar 12 '11 at 17:35
  • @Iszi: even better then. The policies outlined in the MS article should help you solve the problem then. Good luck. – 0xC0000022L Mar 12 '11 at 22:59
-3

In windows 7 under an RDP session, there is a button for disconnect.

Also this may help you in your decision.

http://support.microsoft.com/kb/321705

Split71
  • 186
  • 2
  • 1
    Welcome to the site, @Split71, and thank you for the information. This appears useful for on-demand disconnections, but the question is about automated disconnects based on session termination or idle timeout. – Iszi Mar 11 '11 at 23:02
  • Where does it say automated anywhere in his question? Read before you rate. – Split71 Mar 14 '11 at 12:26
  • 1
    "The information system terminates..." pretty strongly puts the onus on the *server* rather than the *client*. "...at the end of the session or after [Assignment: organization-defined time period] of inactivity." are arbitrary events that generally have no predictable moment of occurrence, and so would require automation to reliably enforce. Are you suggesting we have a sysadmin monitor every server, 24x7, for idle sessions so that he can go in and disconnect them? – Iszi Mar 14 '11 at 15:37