SV-87965.md
---
scapolite:
class: rule
version: '0.51'
id: SV-87965
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The period of time before the bad logon counter is reset must be configured
to 15 minutes or greater.
rule: <see below>
description: <see below>
applicability:
- system: org.scapolite.xccdf.applicability
weight: 10.0
selected: false
role: ''
severity: medium
implementations:
- relative_id: F-79755r1
description: <see below>
automations:
- system: org.scapolite.implementation.win_gpo
ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Account Lockout Policy\Reset account lockout counter after
value: '15'
verification_status: Checked.
- system: org.scapolite.implementation.win_secedit
setting_name: ResetLockoutCount
section: System Access
value: 15
checks:
- relative_id: C-73417r1
description: <see below>
- relative_id: '01'
title: OVAL-based check
description: <see below>
automations:
- system: http://oval.mitre.org/XMLSchema/oval-definitions-5
idref: oval:mil.disa.stig.windows:def:1013
href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
exports:
- value_id_namespace: mil.disa.Windows-Server-2016-STIG
value_idref: account_lockout_reset_counter_var
variable_idref: oval:mil.disa.stig.windows:var:101300
crossrefs:
- system: http://iase.disa.mil/cci
idref: CCI-000044
relation: ''
- system: http://iase.disa.mil/cci
idref: CCI-002238
relation: ''
- system: http://cce.mitre.org
idref: CCE-47272-0
relation: ''
history:
- version: r1
action: created
description: WN16-AC-000030
internal_comment: ''
---
## /rule
The period of time before the bad logon counter is reset must be configured to 15 minutes or greater.
## /description
[**VulnDiscussion**]{.separator type='STIG'}
The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system.
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
[**Documentable**]{.separator type='STIG'}
false
## /implementations/0/description
Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.
## /checks/0/description
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".
Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy.
If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.
## /checks/1/description
IASE supplies an OVAL check.