CCE-43295-5Platform: cpe:/o:microsoft:windows_10 | Date: (C)2016-09-23 (M)2023-07-04 |
Disable: 'Allow enhanced PINs for startup'
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.
Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.
If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs.
Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.
If you disable or do not configure this policy setting, enhanced PINs will not be used.
Counter Measure:
Numeric-only PINs provide much less entropy than a PIN that is alpha-numeric. Increasing the number of characters from 10 digits derived from the function keys to include at least 26 alpha characters from a typical US-ENG key board significantly increase the entropy for a PIN and increases the number of attempts required by an attacker to brute force the system dramatically.
Potential Impact:
Not all computers enable full keyboard support in the PreOS environment. Some keys may not be available. It is recommended this functionality be tested using the computers in your environment prior to it being deployed.
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System DrivesAllow enhanced PINs for startup
(2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftFVEUseEnhancedPin
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:35260 |