CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Impact:

If this policy setting is enabled, a locked-out account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setting may generate additional help desk calls. If you enforce this setting an attacker could cause a denial of service condition by deliberately generating failed logons for multiple user, therefore you should also configure the Account Lockout Duration to a relatively low value. If you configure the Account Lockout Threshold to 0, there is a possibility that an attacker's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.

Default Value:

0 failed logon attempts.

References:

1. CCE-33728-7

CIS Controls:

Version 6

16 Account Monitoring and Control Account Monitoring and Control

16.7 Configure Account Lockouts Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time.

Version 7

16.11 LockWorkstation Sessions After Inactivity Automatically lockworkstation sessions after a standard period of inactivity.

66 | P a g e