Windows Server 2008 R2: This control activity guides the IT professional through configuration of user authentication to lock accounts after unsuccessful logon attempts.
Home<ObjectTemplate ID="WS08R2_MCA_00048" TypeID="GRCControl!Microsoft.SystemCenter.ConfigurationManager.ControlActivityProjection">
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ExternalName$">$MPElement[Name='GRC!System.Compliance.SourceNameEnum.MicrosoftCorporation']$</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ExternalId$">WS08R2_MCA_00048</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ExternalVersion$">1.0</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/Type$">$MPElement[Name='GRCControl!System.Compliance.ControlActivity.TypeEnum.Preventive']$</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/Title$">Configure Account Lock Parameters</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/DisplayName$">WS08R2_MCA_00048 Configure Account Lock Parameters</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/Description$">Windows Server 2008 R2: This control activity guides the IT professional through configuration of user authentication to lock accounts after unsuccessful logon attempts.</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/ImplementationMethod$">The product can be configured to support this control activity through central configuration of Group Policy settings. The required Group Policy settings and values are included in the product’s baselines. Settings that are specifically associated with this control activity can be found in the Validation tab.
This procedure uses Microsoft Security Compliance Manager to download security baselines cab files that may be used to create backup GPOs. GPO backups can then be applied to the environment. This procedure also uses a Microsoft System Center Configuration Manager Desired Configuration Management Pack (DCM pack), which validates the settings and values that are configured through the applied GPO backups.
Although each control activity contains this procedure, the created GPOs and provided DCM pack need only be applied once per IT Compliance Management Library.
To apply the product baseline:
1. Download the Microsoft Security Compliance Manager toolkit at the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en
2. Open the Security Compliance Manager tool and download all baselines. Guidance is included within the baselines in the form of Microsoft Excel or Microsoft Word documents that provide information on what baselines applies to which products.
3. Use the Security Compliance Manager tool to create a GPO backup that consist of all Group Policy setting recommendations for this product's control activities. The provided DCM pack relies upon the following baselines, which must be applied. WS08R2-EC-Member-Server-1.0, WS08R2-EC-Domain-1.0
4. Create a new GPO, and import the GPO backups you created into the newly created GPO.
5. Link the GPO to specific organizational units (OUs) that contain the assets within this program's scope.
To apply the product Desired Configuration Manager (DCM) pack:
1. Import the provided DCM pack into System Center Configuration Manager.
2. Ensure that the System Center Configuration Manager DCM collection includes all assets within the GRC program scope.
</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/AdditionalGuidance$">For more information, see:
"Security Compliance Manager" at http://technet.microsoft.com/en-us/library/cc677002.aspx
"Auditing Password and Account Lockout Policy on Windows Server 2008 and R2 " at
http://blogs.technet.com/askds/archive/2009/11/02/auditing-password-and-account-lockout-policy-on-windows-server-2008-and-r2.aspx
"Unlocking a User Account" at http://technet.microsoft.com/en-us/library/dd391907(WS.10).aspx</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/TestSummary$">Automated Assertion
The required Group Policy settings and values for all control activities within the included library are included within the product baseline. Setting values are provided in accordance with best practices. Setting values are validated using the baseline's associated Desired Configuration Manager (DCM) pack.
The DCM feature in System Center Configuration Manager compares desired settings to actual settings, and reports compliance status of managed entities to System Center Service Manager. A control activity score (CA score) is calculated based on the managed entity results as compared to the GRC program's success threshold and scope.
The specific settings that are associated with this control activity are as follows:
CI Name:
Account Lock
Settings:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies
1. Account Lockout threshold
2. Account Lockout duration
3. Reset account lockout counter after
</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/TestId$">Microsoft/CI_054f3b19-0895-4019-a627-fba8b80f417b</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/TestName$">Microsoft/CI_054f3b19-0895-4019-a627-fba8b80f417b</Property>
<Property Path="$Context/Property[Type='GRC!System.Compliance.ControlActivity']/SupportedControlObjectives$">GRC_MCO_00010</Property>
<Object Path="$Target/Path[Relationship='GRC!System.Compliance.ControlActivityApplicabilityGroup' TypeConstraint='ApplicabilityInstanceGroup_WindowsServer2008R2Group']">
<Property Path="$Target/Property[Type='System!System.Entity']/DisplayName$">ApplicabilityInstanceGroup_WindowsServer2008R2Group</Property>
</Object>
</ObjectTemplate>