System Configuration Hardening and Patch Management
LOW, MOD, HIGH
P2
Yes
July 25, 2016
All Agency-owned information resources shall adopt Center for Internet Security (CIS) Benchmarks Level I standards for lockout policies where possible. If benchmarks are not available, user accounts shall lockout for a duration of 15 minutes after exceeding a threshold of 10 failed attempts within a 15 minute window and privileged user and service accounts shall lockout for a duration of 15 minutes after exceeding a threshold of 5 failed attempts within a 15 minute window, as a minimum.
Unauthorized access is gained to operating systems.
The information system:
a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
An account is locked out of use after a predetermined number of attempts.
1. As technology permits, state organizations should enforce account lockouts after, at minimum, 10 failed attempts. This threshold may be lowered for Moderate or High risk systems.
2. Accounts locked out due to multiple incorrect logon attempts should stay locked out for a minimum of 15 minutes. Accounts for Moderate or High risk systems should remain locked until reset by an administrator.
Obtain access control policy; procedures addressing unsuccessful logon attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records and ascertain if
(I) the organization defines in the security plan, explicitly or by reference, the maximum number of consecutive invalid access attempts to the information system by a user and the time period in which the consecutive invalid access attempts occur;
(ii) the information system enforces the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period;
(iii) the organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period;
(iv) the organization selects either a lock out mode for the organization-defined time period or delays next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts;
(v) the information system enforces the organization-selected lock out mode or delayed login prompt.