Content - f0150d5f1c174b12cb0d18f4714dd659408100b0 - 4dca8ab/scapolite/V-73689/SV-88353.md

SV-88353.md
---
scapolite:
    class: rule
    version: '0.51'
id: SV-88353
id_namespace: mil.disa.Windows-Server-2016-STIG
title: Windows Server 2016 must be configured to force users to log off when their
    allowed logon hours expire.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-80139r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: 'Computer Configuration\Policies\Windows Settings\Security Settings\Local
            Policies\Security Options\Network security: Force logoff when logon hours
            expire'
        value: Enabled
        verification_status: Checked.
      - system: org.scapolite.implementation.win_secedit
        setting_name: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
        section: Registry Values
        value: 1
        type_value: 4
checks:
  - relative_id: C-73771r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1216
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-001133
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-46389-3
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-SO-000370
    internal_comment: ''
---


## /rule

Windows Server 2016 must be configured to force users to log off when their allowed logon hours expire.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

Limiting logon hours can help protect data by allowing access only during specified times. This setting controls whether users are forced to log off when their allowed logon hours expire. If logon hours are set for users, this must be enforced.

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Force logoff when logon hours expire" to "Enabled".

## /checks/0/description

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options.

If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.

## /checks/1/description

IASE supplies an OVAL check.