CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' (Scored)

ProfileApplicability:

 Level 1 (L1) + BitLocker (BL)

 Level 2 (L2) + BitLocker (BL)

 BitLocker (BL) - optional add-on for when BitLocker is deployed

Description:

This security setting determines the number of failed logon attempts that causes the machine to be locked out.

Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled.

The recommended state for this setting is: 10 or fewer invalid logon attempts, but not 0 .

Note: A value of 0 does not conform to the benchmark as it disables the machine account lockout threshold. Values from 1 to 3 will be interpreted as 4 .

Rationale:

If a machine is lost or stolen, or if an insider threat attempts a brute force password attack against the computer, it is important to ensure that BitLocker will lock the computer and therefore prevent a successful attack.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System: MaxDevicePasswordFailedAttempts

189 | P a g e