Information
This policy setting determines whether the built-in Administrator account is subject to the following Account Lockout Policy settings: Account lockout duration, Account lockout threshold, and Reset account lockout counter. By default, this account is excluded from the account lockout controls and will never be locked out with repeated bad password attempts.
The recommended state for this setting is: Enabled.
Note: This setting applies only to OSes patched as of October 11, 2022 (see MS KB5020282).
Rationale:
Enabling account lockout policies for the built-in Administrator account will reduce the likelihood of a successful brute force attack.
Impact:
The built-in Administrator account will be subject to the policies in Section 1.2 Account Lockout Policy of this benchmark.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow Administrator account lockout
Default Value:
Disabled. (The built-in Administrator account is not subject to the account lockout policy.)