Description:
This requirement applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful login attempts may be implemented at the operating system and application levels.
Priority: Medium
Category: Centralized Controls Management
Services Associated with AWS:
- AWS Identity and Access Management (IAM)
- AWS WAF, AWS Shield
- AWS CloudWatch, Amazon GuardDuty, AWS Identity and Access Management (IAM)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screen shot of configuration settings
Possible Technology Considerations: Secure Baseline Configurations (SBC)
What needs to be answered:
Are accounts locked after some number of unsuccessful login attempts?
- Ensure Unsuccessful Logon Attempts Are Limited
Description: This check verifies that the system is configured to limit unsuccessful logon attempts, reducing the risk of unauthorized access via brute force methods. - Validate Automatic Lockout Settings
Description: This check confirms that automatic lockouts are initiated after a set number of unsuccessful logon attempts and that they release after a predetermined period established by the organization. - Check Delay Algorithm Implementation
Description: This check ensures that delay algorithms are employed to prevent denial of service attacks through repeated unsuccessful logon attempts. It also verifies that different algorithms are used for different system components, based on their capabilities. - Confirm Logon Attempt Response at OS and Application Levels
Description: This check verifies that responses to unsuccessful logon attempts, such as alerts or lockouts, are implemented both at the operating system and application levels.
More details: Account lockout after six invalid password attempts.