4.10
IG2 IG3

Enforce Automatic Device Lockout on Portable End>User Devices

Control Group: 4. Secure Configuration of Enterprise Assets and Software
Asset Type: Devices
Security Function: Respond

Description

Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Implementation Checklist

1
Define response procedures and playbooks
2
Assign response roles and responsibilities
3
Establish response timeframes and SLAs
4
Test response procedures through tabletop or simulation
5
Document lessons learned and update procedures
6
Identify systems requiring multi-factor authentication
7
Select and deploy MFA solution
8
Enroll users and distribute authentication factors
9
Test MFA across all identified systems
10
Select hardening benchmark (CIS Benchmarks, DISA STIGs)
11
Create baseline configuration templates
12
Deploy configurations using automation tools
13
Schedule compliance scanning to detect drift

Tool Recommendations

CrowdStrike Falcon Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

Cloud-native endpoint protection platform with next-gen AV, EDR, threat intelligence, and managed hunting

CrowdStrike · Per-endpoint subscription
Microsoft Defender for Endpoint Gartner MQ Leader, EPP 2024

Enterprise endpoint security with threat prevention, EDR, automated investigation, and attack surface reduction

Microsoft · Per-device subscription (P1/P2)
SentinelOne Singularity Gartner MQ Leader, EPP 2024; Forrester Wave Leader, XDR 2024

AI-powered endpoint protection with autonomous response, EDR, and XDR capabilities across endpoint, cloud, and identity

SentinelOne · Per-endpoint subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Brute-Force Password Attack on Lost Device

Confidentiality

An attacker with physical possession of a lost or stolen portable device attempts unlimited password guesses to unlock the device and access all stored data and credentials.

Automated PIN Cracking on Mobile Devices

Confidentiality

Specialized tools perform rapid automated PIN or passcode brute-force attempts against mobile devices without lockout protections, cracking short PINs in minutes.

Vulnerabilities (When Safeguard Absent)

No Failed Authentication Lockout on Portable Devices

Without automatic lockout after failed authentication attempts, attackers can perform unlimited brute-force password guessing against portable devices.

Inconsistent Lockout Thresholds Across Device Types

Without enforced lockout policies for laptops and mobile devices, some devices allow unlimited authentication attempts while others may have inadequate thresholds.

Evidence Requirements

Type Evidence Item Collection Frequency
Document Response procedure/playbook documentation Reviewed bi-annually
Record Response action logs showing procedure execution Per incident
Technical Configuration compliance scan results against approved baseline Scanned monthly
Document Approved baseline configuration documentation Reviewed quarterly
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Safeguards in Control 4

4.1 Establish and Maintain a Secure Configuration Process
4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
4.3 Configure Automatic Session Locking on Enterprise Assets
4.4 Implement and Manage a Firewall on Servers
4.5 Implement and Manage a Firewall on End>User Devices
4.6 Securely Manage Enterprise Assets and Software
4.7 Manage Default Accounts on Enterprise Assets and Software
4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
4.9 Configure Trusted DNS Servers on Enterprise Assets
4.11 Enforce Remote Wipe Capability on Portable End>User Devices
4.12 Separate Enterprise Workspaces on Mobile End>User Devices
4.9 4.11