Title

Domain Controller authentication is not required to unlock the workstation. (Cat III impact)

Discussion

This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. This will be set to disabled per the FDCC.

Check Content

Workstations - Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Interactive logon: Require domain controller authentication to unlock workstation” is not set to “Disabled”, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ForceUnlockLogon Value Type: REG_DWORD Value: 0

Fix Text

Workstations - Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Interactive logon: Require domain controller authentication to unlock workstation” to “Disabled”.

Additional Identifiers

Rule ID: SV-18419r1_rule

Vulnerability ID: V-3375

Group Title: Domain Controller authentication for unlock

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.