Skip to main content

Browse the archive

Raw File
SV-87965.md 
---
scapolite:
    class: rule
    version: '0.51'
id: SV-87965
id_namespace: mil.disa.Windows-Server-2016-STIG
title: The period of time before the bad logon counter is reset must be configured
    to 15 minutes or greater.
rule: <see below>
description: <see below>
applicability:
  - system: org.scapolite.xccdf.applicability
    weight: 10.0
    selected: false
    role: ''
    severity: medium
implementations:
  - relative_id: F-79755r1
    description: <see below>
    automations:
      - system: org.scapolite.implementation.win_gpo
        ui_path: Computer Configuration\Policies\Windows Settings\Security Settings\Account
            Policies\Account Lockout Policy\Reset account lockout counter after
        value: '15'
        verification_status: Checked.
      - system: org.scapolite.implementation.win_secedit
        setting_name: ResetLockoutCount
        section: System Access
        value: 15
checks:
  - relative_id: C-73417r1
    description: <see below>
  - relative_id: '01'
    title: OVAL-based check
    description: <see below>
    automations:
      - system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        idref: oval:mil.disa.stig.windows:def:1013
        href: U_MS_Windows_Server_2016_V1R7_STIG_SCAP_1-2_Benchmark-oval.xml
        exports:
          - value_id_namespace: mil.disa.Windows-Server-2016-STIG
            value_idref: account_lockout_reset_counter_var
            variable_idref: oval:mil.disa.stig.windows:var:101300
crossrefs:
  - system: http://iase.disa.mil/cci
    idref: CCI-000044
    relation: ''
  - system: http://iase.disa.mil/cci
    idref: CCI-002238
    relation: ''
  - system: http://cce.mitre.org
    idref: CCE-47272-0
    relation: ''
history:
  - version: r1
    action: created
    description: WN16-AC-000030
    internal_comment: ''
---


## /rule

The period of time before the bad logon counter is reset must be configured to 15 minutes or greater.

## /description

[**VulnDiscussion**]{.separator type='STIG'}

The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system.

Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

[**Documentable**]{.separator type='STIG'}

false

## /implementations/0/description

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.

## /checks/0/description

Verify the effective setting in Local Group Policy Editor.

Run "gpedit.msc".

Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy.

If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.

## /checks/1/description

IASE supplies an OVAL check.
back to top