To provide guidance on how to map your cyber hygiene practices to the MITRE ATT&CK framework, we’ve started to create a series of Automox Worklets™. Our goal is to showcase the power and flexibility of these worklets to bolster your cyber hygiene and prevent or mitigate real-world threats.
Both the Center for Internet Security (CIS) security controls and the MITRE ATT&CK framework provide crucial intelligence to maintain a strong cybersecurity posture. By practicing good cyber hygiene as directed by the CIS, you can prevent and mitigate real-world threats identified throughout the MITRE ATT&CK framework.
With this Automox Worklet, we’ve chosen to highlight the first tactic in the ATT&CK matrix, Initial Access, and even more specifically the technique ID:T1078, or Valid Accounts. For additional information on this tactic and technique, refer to our blog on the topic.
Automox Worklet: Set Account Lockout Policies per CIS Recommendations
This Automox Worklet automatically applies the CIS recommendations for (1) Account Policies (1.1) Account Lockout. It is highly recommended that all Windows devices adhere to these recommendations and be evaluated frequently to ensure compliance.
Please Read - CIS Account Lockout Recommendations
The following policies are broken down in the worklet remediation code below. Most of these settings are configurable by the security admin, but Automox has aligned the default settings in the code to match the CIS recommendations.
1.2 Account Lockout
1.2.1 Ensure ‘Account lockout duration’’ is set to '15 or more minutes(s)’
1.2.2 Ensure ‘Account lockout threshold’ is set to '10 or fewer invalid logon attempt(s), but not 0’
1.2.3 Ensure ‘Reset account lockout counter after’ is set to '15 or more minute(s)’
1.2.1 Ensure 'Account lockout duration' is set to '15 or more minute(s)' [configurable]
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked until an administrator manually unlocks them.
Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.
The recommended state for this setting is: 15 or more minute(s).
1.2.2 Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s)’ [configurable]
This policy setting determines the number of failed logon attempts before the account is
locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.
The recommended state for this setting is: 10 or fewer invalid logon attempt(s), but not 0.
1.2.3 Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' [configurable]
This policy setting determines the length of time before the Account lockout threshold
resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.
The recommended state for this setting is: 15 or more minute(s).
CIS Account Lockout Remediation Code
The remediation code will automatically set all of the account lockout policy settings described above when executed from the Worklet across the endpoints. Be sure to configure any values you desire, or keep the defaults. You will copy and paste the remediation code into the new worklet policy when you create it.
To deploy this endpoint hardening Worklet, view the original posting on the Automox Alive community.
Tips for Creating an Automox Worklet
Before deploying an Automox Worklet to the production environment, we suggest testing this on a few devices to confirm its accuracy. If you have any questions, please contact our support team for technical assistance at support@automox.com.
For step-by-step instructions on creating the Worklet, see our user documentation: Create a Worklet.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.