Skip to main content

CIS Compliance: Windows 10 - 1 Account Policies - 1.2 Account Lockout

  • February 12, 2020
  • 2 replies
  • 493 views
Nic-Automox

This section contains covers the Worklet that automatically applies the CIS recommendations for (1) Account Policies (1.2) Account Lockout. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.

1.2.1 (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more
minute(s)’
1.2.2 (L1) Ensure ‘Account lockout threshold’ is set to ‘10 or fewer
invalid logon attempt(s), but not 0’
1.2.3 (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or
more minute(s)’

You can set these to be more restrictive than the settings above, but the following remediation code run without changes will set the thresholds as listed above.

Remediation code:

#SYPNOSIS 
#Automatically configures the Account Policies -> Account Lockout Policies the CIS recommended configuration for Windows 10 1809

#1.2 Account Lockout Policy
#1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'
#1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’
#1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

#AUTHOR
#Adam Whitman

#DATE
#January 3rd 2020



#This policy setting determines the length of time before the Account lockout threshold resets to zero
#The recommended state for this setting is: 15 or more minute(s)
    $lockreset = 15
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("ResetLockoutCount", "ResetLockoutCount = $lockreset") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false


#the duration of time a user is locked out before allowed to attempt login again
#the recommended setting is 15 minutes or more. MUST BE SET <= the "ResetLockoutCount" value  
    $lockduration = 15
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("LockoutDuration", "LockoutDuration = $lockduration") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false
    
    

#sets the number of invalid login attempts before the user is locked out.
#the recommended setting for this is 10 or less, but not 0 
    $lockbadcnt = 10
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("LockoutBadCount", "LockoutBadCount = $lockbadcnt") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false

All credit goes to @awhitman for creating this worklet.

    P

    Thanks for this. Can you advise if you created this as a worklet and if so what did you add for the “Evaluation Code”?

    K
    • Ken-Automox
    • Automox Employee
    • October 8, 2021

    Hi Pat,

    Please take a look at the below example and customize it as necessary for your environment. Hope this helps!

    $resetLockoutCount = ((gc C:\secpol.cfg | Select-String -Pattern 'ResetLockoutCount') -split " = ")[1]
$lockoutDuration = ((gc C:\secpol.cfg | Select-String -Pattern 'LockoutDuration') -split " = ")[1]
$lockoutCount = ((gc C:\secpol.cfg | Select-String -Pattern 'LockoutBadCount') -split " = ")[1]
$remediationRequired = 0
if($resetLockoutCount -ne 15 -OR $lockoutDuration -ne 15 -OR $lockoutCount -ne 10)
{
    $remediationRequired = 1
}
rm -force c:\secpol.cfg -confirm:$false
exit $remediationRequired

    Reply


    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings