Navigate

Check: 4.003

Windows 2003 DC STIG: 4.003 (in version v6 r40)

Title

Time before bad-logon counter is reset does not meet minimum requirements. (Cat II impact)

Discussion

This parameter specifies the amount of time that must pass between two successive login attempts to ensure that a lockout will occur. The smaller this value is, the less effective the account lockout feature will be in protecting the local system.

Check Content

Fix Text

Configure the system to have the lockout counter reset itself after a minimum of 60 minutes.

Additional Identifiers

Rule ID: SV-29637r1_rule

Vulnerability ID: V-1098

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000044	Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
CCI-002238	Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts