Skip to main content

This section contains covers the Worklet that automatically applies the CIS recommendations for (1) Account Policies (1.2) Account Lockout. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.



1.2.1 (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more


minute(s)’


1.2.2 (L1) Ensure ‘Account lockout threshold’ is set to ‘10 or fewer


invalid logon attempt(s), but not 0’


1.2.3 (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or


more minute(s)’



You can set these to be more restrictive than the settings above, but the following remediation code run without changes will set the thresholds as listed above.



Remediation code:



#SYPNOSIS 


#Automatically configures the Account Policies -> Account Lockout Policies the CIS recommended configuration for Windows 10 1809





#1.2 Account Lockout Policy


#1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'


#1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’


#1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'





#AUTHOR


#Adam Whitman





#DATE


#January 3rd 2020











#This policy setting determines the length of time before the Account lockout threshold resets to zero


#The recommended state for this setting is: 15 or more minute(s)


    $lockreset = 15


    secedit /export /cfg c:\secpol.cfg


    (gc C:\secpol.cfg).replace("ResetLockoutCount", "ResetLockoutCount = $lockreset") | Out-File C:\secpol.cfg


    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY


    rm -force c:\secpol.cfg -confirm:$false








#the duration of time a user is locked out before allowed to attempt login again


#the recommended setting is 15 minutes or more. MUST BE SET <= the "ResetLockoutCount" value  


    $lockduration = 15


    secedit /export /cfg c:\secpol.cfg


    (gc C:\secpol.cfg).replace("LockoutDuration", "LockoutDuration = $lockduration") | Out-File C:\secpol.cfg


    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY


    rm -force c:\secpol.cfg -confirm:$false


    


    





#sets the number of invalid login attempts before the user is locked out.


#the recommended setting for this is 10 or less, but not 0 


    $lockbadcnt = 10


    secedit /export /cfg c:\secpol.cfg


    (gc C:\secpol.cfg).replace("LockoutBadCount", "LockoutBadCount = $lockbadcnt") | Out-File C:\secpol.cfg


    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY


    rm -force c:\secpol.cfg -confirm:$false


All credit goes to @awhitman for creating this worklet.

Thanks for this. Can you advise if you created this as a worklet and if so what did you add for the “Evaluation Code”?

Hi Pat,



Please take a look at the below example and customize it as necessary for your environment. Hope this helps!



$resetLockoutCount = ((gc C:\secpol.cfg | Select-String -Pattern 'ResetLockoutCount') -split " = ")[1]


$lockoutDuration = ((gc C:\secpol.cfg | Select-String -Pattern 'LockoutDuration') -split " = ")[1]


$lockoutCount = ((gc C:\secpol.cfg | Select-String -Pattern 'LockoutBadCount') -split " = ")[1]


$remediationRequired = 0


if($resetLockoutCount -ne 15 -OR $lockoutDuration -ne 15 -OR $lockoutCount -ne 10)


{


    $remediationRequired = 1


}


rm -force c:\secpol.cfg -confirm:$false


exit $remediationRequired

Reply


Terms & ConditionsCookie settings