1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'

Information

This policy setting determines whether the built-in Administrator account is subject to the following Account Lockout Policy settings:

Account lockout duration

,

Account lockout threshold

, and

Reset account lockout counter

. By default, this account is excluded from the account lockout controls and will never be locked out with repeated bad password attempts.

The recommended state for this setting is: Enabled

Note: This setting applies only to OSes patched as of October 11, 2022 (see

MS KB5020282

).

Enabling account lockout policies for the built-in Administrator account will reduce the likelihood of a successful brute force attack.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow Administrator account lockout

Impact:

The built-in Administrator account will be subject to the policies in Section

1.2 Account Lockout Policy

of this benchmark.

See Also

https://workbench.cisecurity.org/benchmarks/16515