Automox Worklet: Set Account Lockout Policies

To provide guidance on how to map your cyber hygiene practices to the MITRE ATT&CK framework, we’ve started to create a series of Automox Worklets™. Our goal is to showcase the power and flexibility of these worklets to bolster your cyber hygiene and prevent or mitigate real-world threats. 

Both the Center for Internet Security (CIS) security controls and the MITRE ATT&CK framework provide crucial intelligence to maintain a strong cybersecurity posture. By practicing good cyber hygiene as directed by the CIS, you can prevent and mitigate real-world threats identified throughout the MITRE ATT&CK framework. 

With this Automox Worklet, we’ve chosen to highlight the first tactic in the ATT&CK matrix, Initial Access, and even more specifically the technique ID:T1078, or Valid Accounts. For additional information on this tactic and technique, refer to our blog on the topic.

Automox Worklet: Set Account Lockout Policies per CIS Recommendations

This Automox Worklet automatically applies the CIS recommendations for (1) Account Policies (1.1) Account Lockout. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.

Please Read - CIS Account Lockout Recommendations

The following policies are broken down in the worklet remediation code below. Most of these settings are configurable by the security admin, but Automox has aligned the default settings in the code to match the CIS recommendations.

1.2 Account Lockout

1.2.1 Ensure ‘Account lockout duration’’ is set to '15 or more minutes(s)’

1.2.2 Ensure ‘Account lockout threshold’ is set to '10 or fewer invalid logon attempt(s), but not 0’

1.2.3 Ensure ‘Reset account lockout counter after’ is set to '15 or more minute(s)’

1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)' [configurable]

This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked until an administrator manually unlocks them.

Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.

The recommended state for this setting is: 15 or more minute(s).

1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’ [configurable]

This policy setting determines the number of failed logon attempts before the account is

locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.

The recommended state for this setting is: 10 or fewer invalid logon attempt(s), but not 0.

1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' [configurable]

This policy setting determines the length of time before the Account lockout threshold

resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.

The recommended state for this setting is: 15 or more minute(s).

CIS Account Lockout Remediation Code

The remediation code below automatically will set all of the account lockout policy settings described above when executed from the Worklet across the endpoints. Be sure to configure any values you desire, or keep the defaults. You will copy and paste this remediation code into the new worklet policy when you create it. 

You can also access this code on the Automox Alive community here.

Remediation:

#SYPNOSIS 
#Automatically configures the Account Policies -> Account Lockout Policies the CIS recommended configuration for Windows 10 1809
 
#1.2 Account Lockout Policy
#1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)'
#1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’
#1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
 
#This policy setting determines the length of time before the Account lockout threshold resets to zero
#The recommended state for this setting is: 15 or more minute(s)
    $lockreset = 15
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("ResetLockoutCount", "ResetLockoutCount = $lockreset") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false
 
#the duration of time a user is locked out before allowed to attempt login again
#the recommended setting is 15 minutes or more. MUST BE SET <= the "ResetLockoutCount" value  
    $lockduration = 15
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("LockoutDuration", "LockoutDuration = $lockduration") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false
    
#sets the number of invalid login attempts before the user is locked out.
#the recommended setting for this is 10 or less, but not 0 
    $lockbadcnt = 10
    secedit /export /cfg c:\secpol.cfg
    (gc C:\secpol.cfg).replace("LockoutBadCount", "LockoutBadCount = $lockbadcnt") | Out-File C:\secpol.cfg
    secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
    rm -force c:\secpol.cfg -confirm:$false


Step-by-Step: Create the Account Lockout Worklet

To deploy this endpoint hardening Worklet, do the following:

  1. Log in to your Automox Console.
  2. Navigate to the System Management page and click Create Policy in the upper right-hand section of the screen.
  3. Choose Windows under Worklet. 
  4. Copy and paste the Remediation code scripts [shown above].

    The Evaluation code will be unique to your instance, so write that script according to the value you want evaluated. Setting “Exit 1” as the evaluation code will force remediation every time the policy is scheduled to be executed across the endpoints.

  5. Define a schedule for how often you want this policy to run. 
  6. Click Create Worklet.
  7. Assign Worklet to a group or multiple groups and click Save Changes.
  8. [Optional] To execute Worklet manually, click the Execute Policy Now button.

As always, feel free to reach out to support@automox.com if you need any technical assistance.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure. 

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

 

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial