18.9.11.2.10 Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'

Information

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.

The recommended state for this setting is: Enabled: 7 or more characters.

Rationale:

BitLocker requires the use of the function keys [F1-F10] for PIN entry since the PIN is entered in the pre-OS environment before localization support is available. This limits each PIN digit to one of ten possibilities. The TPM has an anti-hammering feature that includes a mechanism to exponentially increase the delay for PIN retry attempts; however, using a PIN that is short in length improves an attacker's chances of guessing the correct PIN.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 7 or more characters:

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure minimum PIN length for startup

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:

The minimum length of the startup PIN will be 7 or more digits (up to a maximum of 20 digits), as specified.

Default Value:

Disabled. (Users can configure a startup PIN of any length between 4 and 20 digits.)

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SC-28(1), 800-53|SI-7(9), CSCv6|2, CSCv6|13.2

Plugin: Windows

Control ID: 9fbf32adc227c25ec2feb8e4507f2e031055db89d235e434e4a46e6e3a6d1ca4