Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3375 | 4.045 | SV-25049r1_rule | ECSC-1 | Low |
Description |
---|
This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. This may cause a denial of service if the workstation looses connectivity to the domain controller. |
STIG | Date |
---|---|
Windows 7 Security Technical Implementation Guide | 2015-03-09 |
Check Text ( C-18074r1_chk ) |
---|
Workstations - Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “Interactive logon: Require domain controller authentication to unlock workstation” is not set to “Disabled”, then this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ForceUnlockLogon Value Type: REG_DWORD Value: 0 |
Fix Text (F-22888r1_fix) |
---|
Workstations - Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “Interactive logon: Require domain controller authentication to unlock workstation” to “Disabled”. |