UCF STIG Viewer Logo

The lockout duration must be configured to require an administrator to unlock an account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1099 WN12-AC-000001 SV-52850r1_rule Medium
Description
The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts. A value of 0 will require an administrator to unlock the account.
STIG Date
Windows Server 2012 / 2012 R2 Member Server Security Technical Implementation Guide 2016-12-19

Details

Check Text ( C-47167r2_chk )
Verify the effective setting in Local Group Policy Editor.
Run "gpedit.msc".

Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy.

If the "Account lockout duration" is not set to "0", requiring an administrator to unlock the account, this is a finding.
Fix Text (F-45776r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy -> "Account lockout duration" to "0" minutes, "Account is locked out until administrator unlocks it".