Interactive logon: Require Domain Controller authentication to unlock workstationID: oval:org.secpod.oval:def:18867 | Date: (C)2014-05-29 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
The Interactive logon: Require Domain Controller authentication to unlock workstation setting should be configured correctly.
Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain controller must authenticate the domain account that is being used to unlock the computer. If you disable this setting, logon information confirmation with a domain controller is not required for a user to unlock the computer. However, if you configure the Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting to a value that is greater than zero, then the users cached credentials will be used to unlock the computer. Note: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation
(2) KEY: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
Platform: |
Microsoft Windows Server 2008 R2 |