800-53|IA-5c.

Title

AUTHENTICATOR MANAGEMENT

Description

Ensuring that authenticators have sufficient strength of mechanism for their intended use;

Reference Item Details

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.4.2.2.16 Set 'Allow BitLocker without a compatible TPM' to 'False'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.18 Set 'Configure TPM startup PIN:' to 'Require startup PIN with TPM'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.20 Set 'Configure TPM startup key:' to 'Do not allow startup key with TPM'WindowsCIS Windows 8 L1 v1.0.0
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.1 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.11 Ensure 'Require additional authentication at startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.11 Ensure 'Require additional authentication at startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.11 Ensure 'Require additional authentication at startup' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.12 Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.14 Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.15 Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.16 Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.2.20 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.2.20 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup PIN:' is set to 'Enabled: Require startup PIN with TPM'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.21 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.21 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key:' is set to 'Enabled: Do not allow startup key with TPM'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.11.2.22 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.9.11.2.22 (BL) Ensure 'Require additional authentication at startup: Configure TPM startup key and PIN:' is set to 'Enabled: Do not allow startup key and PIN with TPM'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + NG
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows Server 2022 v1.0.0 L1 DC
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows Server 2019 MS L1 v1.3.0
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Stand-alone v1.0.1 L1 + BL
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 11 Stand-alone v1.0.0 L1
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Stand-alone v1.12.0 L1 + NG
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 11 Enterprise v1.0.0 L1 + BL + NG
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Stand-alone v1.0.1 L1
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows Server 2019 DC L1 v1.3.0
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Stand-alone v1.0.1 L1 + BL + NG
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.9.15.1 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'WindowsCIS Microsoft Windows 11 Stand-alone v1.0.0 L1 + BL