CCE-44437-2Platform: cpe:/o:microsoft:windows_10 | Date: (C)2016-09-23 (M)2023-07-04 |
Disable: 'Turn on convenience PIN sign-in'
This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer configurationAdministrative TemplatesWindows ComponentsMicrosoft Passport for Work.
If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.
If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.
Note that the user's domain password will be cached in the system vault when using this feature.
Counter Measure:
Disable this policy setting.
Potential Impact:
If you enable this policy setting, a domain user can set up and sign in with a PIN.
If you disable or don't configure this policy setting, a domain user can't set up and use a PIN."
Parameter:
[enable/disable]
Technical Mechanism:
(1) GPO: Computer ConfigurationAdministrative TemplatesSystemLogonTurn on convenience PIN sign-in
(2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemAllowDomainPINLogon
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.1 | Attack Vector: NETWORK |
Exploit Score: 2.2 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:35451 |