18.9.11.2.15 Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'

Information

This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives.

Note: This setting is enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.
The recommended state for this setting is: Disabled.

Rationale:

Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly attempting to unlock a drive. Since this type of BitLocker password does include anti-dictionary attack protections provided by a TPM, for example, there is no mechanism to slow down rapid brute-force attacks against them.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure use of passwords for operating system drives

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Impact:

The password option will not be available when configuring BitLocker for the operating system drive.

See Also

https://workbench.cisecurity.org/files/2458

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28, CCE|CCE-32937-5, CSCv6|13.2, CSCv7|13.6

Plugin: Windows

Control ID: d34525bcea84f3b3af6e2678bf32ffc0f55d75263db15c5a5d91161f6674945c