AC-07-727 Unsuccessful Logon Attempts

Unsuccessful Logon Attempts

Control ID

AC-07-727

Control Name

Unsuccessful Logon Attempts

Control Category

Access Control

Functional Areas

Protect

Sub-Areas

System Configuration Hardening and Patch Management

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

July 25, 2016

Agency Implementation

All Agency-owned information resources shall adopt Center for Internet Security (CIS) Benchmarks Level I standards for lockout policies where possible. If benchmarks are not available, user accounts shall lockout for a duration of 15 minutes after exceeding a threshold of 10 failed attempts within a 15 minute window and privileged user and service accounts shall lockout for a duration of 15 minutes after exceeding a threshold of 5 failed attempts within a 15 minute window, as a minimum.

Risk Statement

Unauthorized access is gained to operating systems.

Control Description

The information system: a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.

Control Example

An account is locked out of use after a predetermined number of attempts.

State Implementation

1. As technology permits, state organizations should enforce account lockouts after, at minimum, 10 failed attempts. This threshold may be lowered for Moderate or High risk systems. 2. Accounts locked out due to multiple incorrect logon attempts should stay locked out for a minimum of 15 minutes. Accounts for Moderate or High risk systems should remain locked until reset by an administrator.

Testing Procedures

Obtain access control policy; procedures addressing unsuccessful logon attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records and ascertain if (I) the organization defines in the security plan, explicitly or by reference, the maximum number of consecutive invalid access attempts to the information system by a user and the time period in which the consecutive invalid access attempts occur; (ii) the information system enforces the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period; (iii) the organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period; (iv) the organization selects either a lock out mode for the organization-defined time period or delays next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts; (v) the information system enforces the organization-selected lock out mode or delayed login prompt.