WN12-AC-000003 – The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.

Details

The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to ‘0’. The smaller this value is, the less effective the account lockout feature will be in protecting the local system.

Solution

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> ‘Reset account lockout counter after’ to at least ’15’ minutes.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_MS_V3R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.

References

800-53|AC-7a.
800-53|AC-7b.
CAT|II
CCI|CCI-000044
CCI|CCI-002238
Rule-ID|SV-225268r569185_rule
STIG-ID|WN12-AC-000003
STIG-Legacy|SV-52849
STIG-Legacy|V-1098
Vuln-ID|V-225268

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles