CCE-47581-4Platform: cpe:/o:microsoft:windows_server_2016 | Date: (C)2022-09-02 (M)2023-07-04 |
This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer configurationAdministrative TemplatesWindows ComponentsMicrosoft Passport for Work.
If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
Note: that the user's domain password will be cached in the system vault when using this feature.
Countermeasure:
Disable this policy setting.
Potential Impact:
If you enable this policy setting, a domain user can set up and sign in with a PIN.
If you disable or don't configure this policy setting, a domain user can't set up and use a PIN."
Fix:
(1) GPO: Computer ConfigurationAdministrative TemplatesSystemLogonTurn on convenience PIN sign-in
(2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystem!AllowDomainPINLogon
Parameter:
[enabled/disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\Administrative Templates\System\Logon\Turn on convenience PIN sign-in
(2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System!AllowDomainPINLogon
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:83542 |