This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold. The STIG recommended state for this setting is: 3 or fewer invalid logon attempt(s), but not 0. Rationale: Setting an account lockout threshold reduces the likelihood that an online password brute force attack will be successful. Setting the account lockout threshold too low introduces risk of increased accidental lockouts and/or a malicious actor intentionally locking out accounts. Impact: If this policy setting is enabled, a locked-out account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setting may generate additional help desk calls. If you enforce this setting an attacker could cause a denial of service condition by deliberately generating failed logons for multiple user, therefore you should also configure the Account Lockout Duration to a relatively low value. If you configure the Account Lockout Threshold to 0, there is a possibility that an attacker's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.
Solution
To establish the recommended configuration via GP, set the following UI path to 3 or fewer invalid login attempt(s), but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold Default Value: 0 failed logon attempts. Additional Information: This Benchmark Recommendation maps to: Microsoft Windows Server 2016 Security Technical Implementation Guide: Version 1, Release 13, Benchmark Date: May 15, 2020 Vul ID: V-73311 Rule ID: SV-87963r2_rule STIG ID: WN16-AC-000020 Severity: CAT II