CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Remediation:

To establish the recommended configuration via GP, set the following UI path to 10 or fewer invalid logon attempts, but not 0 :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold

Impact:

Users will be able to mistype their password several times, but the machine account will be locked out if a brute force password attack occurs. A locked out machine can only be recovered by providing the BitLocker recovery key at the console.

Default Value:

0 invalid logon attempts. (The machine will never lock out.)

References:

1. CCE-34899-5

CIS Controls:

Version 6

13.2 Deploy Hard Drive Encryption Software Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.

16.5 Ensure Workstation Screen Locks Are Configured Configure screen locks on systems to limit access to unattended workstations.

Version 7

16.11 LockWorkstation Sessions After Inactivity Automatically lockworkstation sessions after a standard period of inactivity.

16.2 Configure Centralized Point of Authentication Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.

190 | P a g e