Details
This security setting determines the number of failed logon attempts that causes the machine to be locked out.
Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts.
The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled.
The recommended state for this setting is: 10 or fewer invalid logon attempts, but not 0.
Note: A value of 0 does not conform to the benchmark as it disables the machine account lockout threshold. Values from 1 to 3 will be interpreted as 4.
Rationale:
If a machine is lost or stolen, or if an insider threat attempts a brute force password attack against the computer, it is important to ensure that BitLocker will lock the computer and therefore prevent a successful attack.
Impact:
Users will be able to mistype their password several times, but the machine account will be locked out if a brute force password attack occurs. A locked out machine can only be recovered by providing the BitLocker recovery key at the console.
Solution
To establish the recommended configuration via GP, set the following UI path to 10 or fewer invalid logon attempts, but not 0:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Machine account lockout threshold
Default Value:
0 invalid logon attempts. (The machine will never lock out.)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.