1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured

Information

Configure values for Failed Login Attempts and Account Lockout Time set to organization-defined values (for example, 3 failed attempts and a 15 minute lockout time). Do not set Failed Attempts and Lockout Time in the Authentication Settings section; any Failed Attempts or Lockout Time settings within the selected Authentication Profile do not apply in the Authentication Settings section.

Rationale:

Without a lockout limit, an attacker can continuously guess administrators' passwords. From the other point of view, if lockout settings are configured in the Authentication Settings section it may be possible for an attacker to continuously lock out all administrative accounts from accessing the device. This potential situation indicates the importance of using named administrative accounts, instead of the default, single shared 'admin' account.

Solution

Navigate to Device > Authentication Profile.
Set Failed Attempts to the non-zero organization-defined value.
Set Lockout Time to the non-zero organization-defined value.

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/17915