L1 BIO 09.02.01 ISO A.9.4.2 CIS Windows - Lockout reset

Intune: Account Lockout Reset Counter (15 Minutes)

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Account lockout reset counter = time window for counting failed attempts - aanbeveling: 15 minutes (matches lockout duration).

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Reset counter = brute-force window: Scenario: User typos password 3 times β†’ waits 20 minutes β†’ tries again, WITHOUT reset counter: Failed attempts accumulate FOREVER (3 old + 2 new = 5 β†’ lockout), WITH reset counter 15 min: 3 old attempts expired (>15 min ago) β†’ counter reset to 0 β†’ 2 new attempts = not locked. Brute-force defense: Attacker tries 4 passwords β†’ waits 20 min (reset counter) β†’ tries 4 more β†’ REPEAT (slow-and-low attack). Best practice: Reset counter = Lockout duration (15 min) - synchronized policy.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Reset counter 15 min: Policy: Reset account lockout counter after: 15 minutes, Effect: Failed attempts older than 15 min = NOT counted, Sliding window: Only recent 15 min failures count toward threshold (5 attempts), Synchronized: Matches lockout duration (15 min) - consistent policy.

Vereisten

  1. Intune subscription
  2. Windows 10/11
  3. Lockout threshold: 5 attempts
  4. Lockout duration: 15 min (synchronized)

Implementatie

Gebruik PowerShell-script account-lockout-reset.ps1 (functie Invoke-Implementation) – Implementeren.

Intune Settings Catalog: Account Lockout Policy β†’ Reset account lockout counter after: 15 minutes. Synchronized with lockout duration (15 min).

Compliance

CIS Windows Benchmark L1 (15 min), BIO 09.02, ISO 27001 A.9.4.2.

Monitoring

Gebruik PowerShell-script account-lockout-reset.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script account-lockout-reset.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# ================================================================================ POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS Account Lockout Reset Counter .DESCRIPTION Implementeert, monitort en herstelt: Account Lockout Reset Counter .NOTES Filename: account-lockout-reset.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Workload: intune Category: security-options #> #Requires -Version 5.1 [CmdletBinding()] param() $ErrorActionPreference = 'Stop' function Invoke-Implementation { <# .SYNOPSIS Implementeert de configuratie #> [CmdletBinding()] param() Write-Host "[INFO] Invoke-Implementation - Account Lockout Reset Counter" -ForegroundColor Cyan Invoke-Remediation } function Invoke-Monitoring { <# .SYNOPSIS Controleert de huidige configuratie status #> [CmdletBinding()] param() try { Write-Host " ========================================" -ForegroundColor Cyan Write-Host "Account Lockout Reset Counter - Monitoring" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan # TODO: Implementeer monitoring logica voor Account Lockout Reset Counter Write-Host "[INFO] Monitoring check voor Account Lockout Reset Counter" -ForegroundColor Yellow Write-Host "[OK] Monitoring check completed" -ForegroundColor Green } catch { Write-Error "Monitoring failed: $_" throw } } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat #> [CmdletBinding()] param() try { Write-Host " ========================================" -ForegroundColor Cyan Write-Host "Account Lockout Reset Counter - Remediation" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan # TODO: Implementeer remediation logica voor Account Lockout Reset Counter Write-Host "[INFO] Remediation voor Account Lockout Reset Counter" -ForegroundColor Yellow Write-Host "[OK] Remediation completed" -ForegroundColor Green } catch { Write-Error "Remediation failed: $_" throw } }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: No reset = legitimate user lockouts accumulate (typos over days).

Management Samenvatting

Account lockout reset counter: 15 minutes. Synchronized with lockout duration. Brute-force defense + user-friendly. Implementatie: 1-2 uur.