1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting determines the number of failed logon attempts before the account is locked.

Setting this policy to '0' does not conform with the benchmark as doing so disables the account lockout threshold.

The recommended state for this setting is: '10 or fewer invalid logon attempt(s), but not 0'.

Solution

To establish the recommended configuration via GP, set the following UI path to '10 or fewer invalid login attempt(s), but not 0':

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold

See Also

https://workbench.cisecurity.org/files/1941