1.12 Ensure Maximum number of failed attempts allowed is set to 5 or fewer

Information

This only takes effect if Deny access after failed attempts is enabled. The number of failed login attempts that a user is allowed before being locked out. After making that many successive failed attempts, future attempts will fail. When one login attempt succeeds, counting of failed attempts stops, and the count is reset to zero.

Rationale:

Repeated failed login attempts could either be a valid user who has forgotten the password, or a malicious attempt to gain access to the system. For this reason, this setting should be as restrictive as possible to mitigate brute force attack attempts to discover a user's password.

Solution

Run the following command to set the deny-on-fail failures-allowed setting.
CLI:

Hostname>set password-controls deny-on-fail failures-allowed 5



GUI:

Navigate to User Management > Password Policy > Deny Access After Failed Login Attempts:
checked and set ' Maximum number of failed attempts allowed is set to' setting to 5 or fewer.

Default Value:

10

See Also

https://workbench.cisecurity.org/files/2828

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-11

Plugin: CheckPoint

Control ID: 71277173a1510d7ebf2ce50822109f76153759f671eef0d0b5c1856f9737b876