Navigate

Check: 4.004

Windows 2003 MS STIG: 4.004 (in version v6 r37)

Title

Lockout duration does not meet minimum requirements. (Cat II impact)

Discussion

This parameter specifies the amount of time that must pass before a locked-out account is automatically unlocked by the system.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Account Lockout Policy. If the “Account lockout duration” is not set to "0", requiring and administrator to unlock the account, then this is a finding.

Fix Text

Configure the system so that the bad logon lockout duration conforms to DoD requirements.

Additional Identifiers

Rule ID: SV-29641r1_rule

Vulnerability ID: V-1099

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002238	Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts