PCI 8.1.7 Set the lockout duration to thirty minutes

Information

The Lockout threshold is set to 'Never' which also sets the 'Lockout duration (minutes)' & 'Lockout observation window (minutes)' to a default value of 30. Both the checks for the Lockout threshold (8.1.6) and Lockout duration (8.1.7) a marked as failed.

Review the password policies and set to appropriate levels.
PCI recommends 'Lockout duration' to be set to a value greater than 29.

If an account is locked out due to someone continually trying to guess a password, controls to delay reactivation of these locked accounts stops the malicious individual from continually guessing the password (they will have to stop for a minimum of 30 minutes until the account is reactivated). Additionally, if reactivation must be requested, the admin or help desk can validate that it is the actual account owner requesting reactivation.

See Also

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., CSCv6|16.7

Plugin: Windows

Control ID: c0415ef7903b04fda37e7f3a0bc5f8d9364bfa964f583aa1c5c18e6f6d6af53e