[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-3230-0

Platform: cpe:/o:microsoft:windows_vistaDate: (C)2012-03-13   (M)2023-07-04



Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain controller must authenticate the domain account that is being used to unlock the computer. If you disable this setting, logon information confirmation with a domain controller is not required for a user to unlock the computer. However, if you configure the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting to a value that is greater than zero, then the user's cached credentials will be used to unlock the computer. Note: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. Countermeasure: Configure the Interactive logon: Require Domain Controller authentication to unlock workstation setting to Enabled and configure the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting to 0. Potential Impact: When the console on a computer is locked, either by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, then users cannot unlock their workstations. If you configure the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) will not be able to log on.


Parameter:

[enabled/disabled]


Technical Mechanism:

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation (2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!ForceUnlockLogon

CCSS Severity:CCSS Metrics:
CCSS Score : 7.4Attack Vector: NETWORK
Exploit Score: 2.2Attack Complexity: HIGH
Impact Score: 5.2Privileges Required: NONE
Severity: HIGHUser Interaction: NONE
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:HScope: UNCHANGED
 Confidentiality: NONE
 Integrity: HIGH
 Availability: HIGH
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:gov.nist.usgcb.vista:def:6044
BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v6.0
Jericho ForumJericho Forum
HIPAA/HITECH ActHIPAA/HITECH Act
FedRAMP Security Controls(Final Release Jan 2012)--LOW IMPACT LEVEL--FedRAMP Security Controls(Final Release Jan 2012)--LOW IMPACT LEVEL--
ISO/IEC 27001-2005ISO/IEC 27001-2005
COBIT 4.1COBIT 4.1
GAPP (Aug 2009)GAPP (Aug 2009)
NERC CIPNERC CIP
NIST SP800-53 R3NIST SP800-53 R3 AC-3
NIST SP800-53 R3NIST SP800-53 R3 CM-6
NIST SP800-53 R3NIST SP800-53 R3 CM-7
NIST SP800-53 R3NIST SP800-53 R3 IA-5
PCIDSS v2.0PCIDSS v2.0
FedRAMP Security Controls(Final Release Jan 2012)--MODERATE IMPACT LEVEL--FedRAMP Security Controls(Final Release Jan 2012)--MODERATE IMPACT LEVEL--
BITS Shared Assessments AUP v5.0BITS Shared Assessments AUP v5.0


OVAL    1
oval:gov.nist.usgcb.vista:def:6044
XCCDF    6
xccdf_pci_benchmark_Windows_vista
xccdf_org.secpod_benchmark_hipaa_windows_vista
xccdf_org.secpod_benchmark_nerc_cip_Windows_Vista
xccdf_org.secpod_benchmark_nist_windows_vista
...

© SecPod Technologies