Detections
Analytics
WN11-00-000032 - Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
Information
If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the pin length requires a greater number of guesses for an attacker.Solution
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives 'Configure minimum PIN length for startup' to 'Enabled' with 'Minimum characters:' set to '6' or greater.See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_11_V2R7_STIG.zip
Item Details
Audit Name: DISA Microsoft Windows 11 STIG v2r7
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-8, CAT|II, CCI|CCI-000804, Rule-ID|SV-253261r958504_rule, STIG-ID|WN11-00-000032, Vuln-ID|V-253261
Plugin: Windows
Control ID: 249fd7a3b5ed77b6008555f718fe0cf54a007b32a744d3df8fd077ad0d9dc188