1.13 Ensure Allow access again after time is set to 300 or more seconds

Information

Allow access again after a user has been locked out (due to failed login attempts). The user is allowed access after the configured time if there have been no login attempts during that time). This setting only takes effect if Deny access after failed login attempts is selected.

Rationale:

Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. To reduce the chance of such accidental lockouts, the Allow access again after time setting determines the number of seconds that must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0.

Solution

Run the following command to set the deny-on-fail allow-afte setting.
CLI:

Hostname> set password-controls deny-on-fail allow-after 300





GUI:

Navigate to User Management > Password Policy > Deny Access After Failed Login Attempts:
Set the 'Allow access again after time' setting to 300 or more seconds.

Default Value:

1200 (20 minutes)

Notes:

Looking for input regarding a value for this recommendation.

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11

Plugin: CheckPoint

Control ID: 0c78eff17c0fe397c786a7ec0baf17c3304b5da92ce10ec1f8cf1f5bcc0b674e