CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Impact:

If you do not configure this policy setting or if the value is configured to an interval that is too long, a DoS attack could occur. An attacker could maliciously attempt to log on to each user's account numerous times and lock out their accounts as described in the preceding paragraphs. If you do not configure the Reset account lockout counter after setting, administrators would have to manually unlock all accounts. If you configure this policy setting to a reasonable value the users would be locked out for some period, after which their accounts would unlock automatically. Be sure that you notify users of the values used for this policy setting so that they will wait for the lockout timer to expire before they call the help desk about their inability to log on.

Default Value:

None, because this policy setting only has meaning when an Account lockout threshold is specified. When an Account lockout threshold is configured, Windows automatically suggests a value of 30 minutes.

References:

1. CCE-35408-4

CIS Controls:

Version 6

16 Account Monitoring and Control Account Monitoring and Control

16.7 Configure Account Lockouts Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time.

Version 7

16.11 LockWorkstation Sessions After Inactivity Automatically lockworkstation sessions after a standard period of inactivity.

68 | P a g e