CIS Compliance: Windows 10 - 1 Account Policies - 1.2 Account Lockout

This section contains covers the Worklet that automatically applies the CIS recommendations for (1) Account Policies (1.2) Account Lockout. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.

1.2.1 (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more
minute(s)’
1.2.2 (L1) Ensure ‘Account lockout threshold’ is set to ‘10 or fewer
invalid logon attempt(s), but not 0’
1.2.3 (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or
more minute(s)’

You can set these to be more restrictive than the settings above, but the following remediation code run without changes will set the thresholds as listed above.

Remediation code:

#SYPNOSIS 
#Automatically configures the Account Policies -> Account Lockout Policies the CIS recommended configuration for Windows 10 1809

#1.2 Account Lockout Policy
#1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'
#1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’
#1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

#AUTHOR
#Adam Whitman

#DATE
#January 3rd 2020



#This policy setting determines the length of time before the Account lockout threshold resets to zero
#The recommended state for this setting is: 15 or more minute(s)
    $lockreset = 15
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("ResetLockoutCount", "ResetLockoutCount = $lockreset") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false


#the duration of time a user is locked out before allowed to attempt login again
#the recommended setting is 15 minutes or more. MUST BE SET <= the "ResetLockoutCount" value  
    $lockduration = 15
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("LockoutDuration", "LockoutDuration = $lockduration") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false
    
    

#sets the number of invalid login attempts before the user is locked out.
#the recommended setting for this is 10 or less, but not 0 
    $lockbadcnt = 10
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("LockoutBadCount", "LockoutBadCount = $lockbadcnt") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false

All credit goes to @awhitman for creating this worklet.

1 Like