Control: 5.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
Description
The account lockout duration value determines how long an account retains the status of lockout, and therefore how long before a user can continue to attempt to login after passing the lockout threshold.
Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a lockedout state which prevents all login attempts for a variable duration. The lockout in combination with a reasonable duration reduces the total number of failed login attempts that a malicious actor can execute in a given period of time.
Remediation
Remediate from Azure Portal
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID. - Under
Manage, selectSecurity. - Under
Manage, selectAuthentication methods. - Under
Manage, selectPassword protection. - Set the
Lockout durationin seconds to60or higher. - Click
Save.
Default Value
By default, Lockout duration in seconds is set to 60.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_7Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_7 --shareSQL
This control uses a named query:
with distinct_tenant as ( select distinct tenant_id, display_name, subscription_id, _ctx from azure_tenant)select id as resource, case when (value)::int >= 60 then 'ok' else 'alarm' end as status, case when (value)::int >= 60 then t.display_name || ' lockout duration is at least 60 seconds.' else t.display_name || ' lockout duration is less than 60 seconds.' end as reason, t.tenant_id from distinct_tenant as t, azuread_directory_settingwhere name = 'LockoutDurationInSeconds';