3.5 Ensure 'Number of attempts allowed' is set to '10'

Information

This policy setting is used to restrict the number of failed logon attempts a user can make before an account is locked out.

Rationale:

This setting can reduce the likelihood that an unauthorized user can guess the password of a device to access data stored on it.

Impact:

A locked-out account cannot be used again until an administrator either resets it or the account lockout duration expires.

Note: This is a mobile device management setting. Use caution when applying these settings as they could have adverse effects depending on the environment, and internal policies around bring your own device (BYOD). These policies could affect a user's BYOD.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-MobileDeviceMailboxPolicy 'Profile' -MaxPasswordFailedAttempts 10

Default Value:

6

See Also

https://workbench.cisecurity.org/benchmarks/12442