CIS Compliance: Windows 10 - 1 Account Policies - 1.2 Account Lockout

  • 12 February 2020
  • 2 replies
  • 424 views

Userlevel 7

This section contains covers the Worklet that automatically applies the CIS recommendations for (1) Account Policies (1.2) Account Lockout. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.


1.2.1 (L1) Ensure ‘Account lockout duration’ is set to ‘15 or more

minute(s)’

1.2.2 (L1) Ensure ‘Account lockout threshold’ is set to ‘10 or fewer

invalid logon attempt(s), but not 0’

1.2.3 (L1) Ensure ‘Reset account lockout counter after’ is set to ‘15 or

more minute(s)’


You can set these to be more restrictive than the settings above, but the following remediation code run without changes will set the thresholds as listed above.


Remediation code:


#SYPNOSIS 
#Automatically configures the Account Policies -> Account Lockout Policies the CIS recommended configuration for Windows 10 1809

#1.2 Account Lockout Policy
#1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'
#1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’
#1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

#AUTHOR
#Adam Whitman

#DATE
#January 3rd 2020



#This policy setting determines the length of time before the Account lockout threshold resets to zero
#The recommended state for this setting is: 15 or more minute(s)
$lockreset = 15
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("ResetLockoutCount", "ResetLockoutCount = $lockreset") | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false


#the duration of time a user is locked out before allowed to attempt login again
#the recommended setting is 15 minutes or more. MUST BE SET <= the "ResetLockoutCount" value
$lockduration = 15
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("LockoutDuration", "LockoutDuration = $lockduration") | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false



#sets the number of invalid login attempts before the user is locked out.
#the recommended setting for this is 10 or less, but not 0
$lockbadcnt = 10
secedit /export /cfg c:\secpol.cfg
(gc C:\secpol.cfg).replace("LockoutBadCount", "LockoutBadCount = $lockbadcnt") | Out-File C:\secpol.cfg
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
rm -force c:\secpol.cfg -confirm:$false

All credit goes to @awhitman for creating this worklet.


2 replies

Thanks for this. Can you advise if you created this as a worklet and if so what did you add for the “Evaluation Code”?

Userlevel 1

Hi Pat,


Please take a look at the below example and customize it as necessary for your environment. Hope this helps!


$resetLockoutCount = ((gc C:\secpol.cfg | Select-String -Pattern 'ResetLockoutCount') -split " = ")[1]
$lockoutDuration = ((gc C:\secpol.cfg | Select-String -Pattern 'LockoutDuration') -split " = ")[1]
$lockoutCount = ((gc C:\secpol.cfg | Select-String -Pattern 'LockoutBadCount') -split " = ")[1]
$remediationRequired = 0
if($resetLockoutCount -ne 15 -OR $lockoutDuration -ne 15 -OR $lockoutCount -ne 10)
{
$remediationRequired = 1
}
rm -force c:\secpol.cfg -confirm:$false
exit $remediationRequired

Reply