1.2.3 Ensure 'Allow Administrator account lockout' is set to 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting determines whether the built-in Administrator account is subject to the following Account Lockout Policy settings: Account lockout duration, Account lockout threshold, and Reset account lockout counter. By default, this account is excluded from the account lockout controls and will never be locked out with repeated bad password attempts.

The recommended state for this setting is: Enabled.

Note: This setting applies only to OSes patched as of October 11, 2022 (see MS KB5020282).

Rationale:

Enabling account lockout policies for the built-in Administrator account will reduce the likelihood of a successful brute force attack.

Impact:

The built-in Administrator account will be subject to the policies in Section 1.2 Account Lockout Policy of this benchmark.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow Administrator account lockout

Default Value:

Disabled. (The built-in Administrator account is not subject to the account lockout policy.)

See Also

https://workbench.cisecurity.org/benchmarks/12434