Level 2


Description:

This requirement applies regardless of whether the logon occurs via a local or network connection.  Due to the potential for denial of service, automatic lockouts initiated by systems are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., a delay algorithm). If a delay algorithm is selected, organizations may employ different algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful login attempts may be implemented at the operating system and application levels.


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)
  • AWS WAF, AWS Shield
  • AWS CloudWatch, Amazon Guard Duty, AWS Identity and Access Management (IAM) 


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure AD Identity Protection
  • Azure AD Password Protection
  • Azure AD Smart Lockout
  • Azure Multi-Factor Authentication (MFA)
  • Azure Security Center
  • Azure Sentinel
  • Azure Monitor
  • Azure Virtual Machines
  • Azure Active Directory Domain Services (Azure AD DS)


Objective Evidence: 

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 
  • Technical: screen shot of configuration settings


Possible Technology Considerations:

  • Secure Baseline Configurations (SBC)


What needs to be answered:

Are accounts locked after some number of unsuccessful login attempts? 


Checks for AWS

  • Ensure Unsuccessful Logon Attempts Are Limited
    Description: This check verifies that the system is configured to limit unsuccessful logon attempts, reducing the risk of unauthorized access via brute force methods.
  • Validate Automatic Lockout Settings
    Description: This check confirms that automatic lockouts are initiated after a set number of unsuccessful logon attempts and that they release after a predetermined period established by the organization.
  • Check Delay Algorithm Implementation
    Description: This check ensures that delay algorithms are employed to prevent denial of service attacks through repeated unsuccessful logon attempts. It also verifies that different algorithms are used for different system components, based on their capabilities.
  • Confirm Logon Attempt Response at OS and Application Levels
    Description: This check verifies that responses to unsuccessful logon attempts, such as alerts or lockouts, are implemented both at the operating system and application levels.


Checks for Azure

  • Ensure Limited Unsuccessful Logon Attempts
    Description: This policy check ensures that the Azure system is configured to limit the number of unsuccessful logon attempts for user accounts. By limiting the attempts, it helps mitigate the risk of unauthorized access through brute force or password guessing attacks.
  • Validate Automatic Lockout Settings
    Description: This policy check confirms that automatic lockouts are initiated after a defined number of unsuccessful logon attempts for user accounts in Azure. The lockouts are temporary and automatically release after a predetermined period established by the organization, helping to prevent unauthorized access and potential denial-of-service attacks.
  • Check Implementation of Delay Algorithm
    Description: This policy check verifies that Azure implements delay algorithms to prevent denial-of-service attacks caused by repeated unsuccessful logon attempts. Different delay algorithms may be used for different system components based on their capabilities, providing an effective defense mechanism against unauthorized access attempts.
  • Confirm Logon Attempt Response at OS and Application Levels
    Description: This policy check ensures that both the operating system and application levels in Azure have appropriate responses in place for unsuccessful logon attempts. This includes actions such as generating alerts, initiating lockouts, or implementing other security measures to detect and mitigate unauthorized access attempts.


More Details: Account lockout after six invalid password attempts.