Domain Controller authentication must not be required to unlock the workstation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3375 | WN08-SO-000026 | SV-48077r1_rule | ECSC-1 | Low |
| Description |
|---|
| This setting controls the behavior of the system when there is an attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. This may cause a denial of service if the workstation loses connectivity to the domain controller. |
| STIG | Date |
|---|---|
| Windows 8 Security Technical Implementation Guide | 2014-01-07 |
Details
| Check Text ( C-44816r1_chk ) |
|---|
| Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Interactive logon: Require domain controller authentication to unlock workstation" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: ForceUnlockLogon Value Type: REG_DWORD Value: 0 |
| Fix Text (F-41215r1_fix) |
|---|
| Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Require domain controller authentication to unlock workstation" to "Disabled". |