Title

Domain Controller authentication must not be required to unlock the workstation. (Cat III impact)

Discussion

This setting controls the behavior of the system when there is an attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. This may cause a denial of service if the workstation loses connectivity to the domain controller.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Interactive logon: Require domain controller authentication to unlock workstation" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ForceUnlockLogon Value Type: REG_DWORD Value: 0

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Require domain controller authentication to unlock workstation" to "Disabled".

Additional Identifiers

Rule ID: SV-48077r1_rule

Vulnerability ID: V-3375

Group Title: Domain Controller authentication for unlock

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.