CCE-42730-2Platform: cpe:/o:microsoft:windows_10 | Date: (C)2016-09-23 (M)2023-07-04 |
Disable: 'Disallow standard users from changing the PIN or password'
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.
This policy setting is applied when you turn on BitLocker.
If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
Counter Measure:
Enabling this policy setting is a more secure configuration, however many organizations will find it much easier to support BitLocker if they allow standard users to create their own personalized PIN.
Potential Impact:
If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.
If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords."
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System DrivesDisallow standard users from changing the PIN or password
(2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftFVEDisallowStandardUserPINReset
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.0 | Attack Vector: LOCAL |
Exploit Score: 1.0 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:35173 |