Navigate

Check: 4.004

Windows Vista STIG: 4.004 (in versions v6 r42 through v6 r41)

Title

Lockout duration does not meet minimum requirements. (Cat II impact)

Discussion

This parameter specifies the amount of time that must pass before a locked-out account is automatically unlocked by the system.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Account Lockout Policy. If the “Account lockout duration” is not set to "0", requiring and administrator to unlock the account, then this is a finding.

Fix Text

Configure the system so that the bad logon lockout duration conforms to DoD requirements.

Additional Identifiers

Rule ID: SV-29642r1_rule

Vulnerability ID: V-1099

Group Title: Lockout Duration

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002238	The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts