STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AC-7 — Unsuccessful Logon Attempts

CCI-002238

Definition

Automatically lock the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

Parent Control

AC-7Unsuccessful Logon AttemptsAccess Control

Linked STIG Checks (127)

V-255608CAT IIThe A10 Networks ADC must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.A10 Networks ADC NDM Security Technical Implementation Guide V-204689CAT IIAAA Services must be configured to maintain locks on user accounts until released by an administrator.AAA Services Security Requirements Guide V-274154CAT IIAmazon Linux 2023 must automatically lock an account when three unsuccessful logon attempts occur.Amazon Linux 2023 Security Technical Implementation Guide V-274155CAT IIAmazon Linux 2023 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.Amazon Linux 2023 Security Technical Implementation Guide V-274156CAT IIAmazon Linux 2023 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.Amazon Linux 2023 Security Technical Implementation Guide V-274157CAT IIAmazon Linux 2023 must maintain an account lock until the locked account is released by an administrator.Amazon Linux 2023 Security Technical Implementation Guide V-268081CAT IINixOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.Anduril NixOS Security Technical Implementation Guide V-252448CAT IIThe macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257154CAT IIThe macOS system must enforce the limit of three consecutive invalid logon attempts by a user before the user account is locked.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268428CAT IIThe macOS system must limit consecutive failed login attempts to three.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268440CAT IIThe macOS system must set account lockout time to 15 minutes.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277036CAT IIThe macOS system must limit consecutive failed login attempts to three.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277048CAT IIThe macOS system must set account lockout time to 15 minutes.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222433CAT IIThe application administrator must follow an approved process to unlock locked user accounts.Application Security and Development Security Technical Implementation Guide V-237337CAT IThe ArcGIS Server Windows authentication must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-256842CAT IICompliance Guardian must provide automated mechanisms for supporting account management functions.AvePoint Compliance Guardian Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219166CAT IIThe Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238235CAT IIIThe Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260549CAT IIIUbuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270690CAT IIIUbuntu 24.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-221925CAT IIThe Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.Central Log Server Security Requirements Guide V-269153CAT IIAlmaLinux OS 9 must maintain an account lock until the locked account is manually released by an administrator; and not automatically after a set time.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269154CAT IIAlmaLinux OS 9 must ensure account locks persist across reboots.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269155CAT IIAlmaLinux OS 9 must configure the appropriate SELinux context on the nondefault faillock tally directory.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233165CAT IIThe container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.Container Platform Security Requirements Guide V-270910CAT IIDragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.Dragos Platform 2.x Security Technical Implementation Guide V-260035CAT IIThe Enterprise Voice, Video, and Messaging Session Manager, when using locally stored user accounts, must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-229002CAT IIThe BIG-IP appliance must be configured to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.F5 BIG-IP Device Management Security Technical Implementation Guide V-255649CAT IICounterACT must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.ForeScout CounterACT NDM Security Technical Implementation Guide V-203698CAT IIThe operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.General Purpose Operating System Security Requirements Guide V-230173CAT IIThe HP FlexFabric Switch must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.HP FlexFabric Switch NDM Security Technical Implementation Guide V-215171CAT IIAIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.IBM AIX 7.x Security Technical Implementation Guide V-252565CAT IIIBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252581CAT IIIBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252600CAT IIIBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-25404CAT IIIA maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your passwordIBM Hardware Management Console (HMC) STIG V-256881CAT IIIA maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your passwordIBM Hardware Management Console (HMC) Security Technical Implementation Guide V-223462CAT IIThe CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.IBM z/OS ACF2 Security Technical Implementation Guide V-223695CAT IIThe IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.IBM z/OS RACF Security Technical Implementation Guide V-223879CAT IIThe CA-TSS PTHRESH Control Option must be set to 2.IBM z/OS TSS Security Technical Implementation Guide V-251774CAT IIThe Ivanti EPMM server must configured to lock administrator accounts after three unsuccessful login attempts.Ivanti EPMM Server Security Technical Implementation Guide V-251777CAT IIThe Ivanti EPMM server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.Ivanti EPMM Server Security Technical Implementation Guide V-251774CAT IIThe Ivanti MobileIron Core server must configured to lock administrator accounts after three unsuccessful login attempts.Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-251777CAT IIThe Ivanti MobileIron Core server must be configured to lock an administrator's account for at least 15 minutes after the account has been locked because the maximum number of unsuccessful login attempts has been exceeded.Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-205547CAT IIThe Mainframe Product must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.Mainframe Product Security Requirements Guide V-270208CAT IIMicrosoft Entra ID must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.Microsoft Entra ID Security Technical Implementation Guide V-220739CAT IIWindows 10 account lockout duration must be configured to 15 minutes or greater.Microsoft Windows 10 Security Technical Implementation Guide V-220741CAT IIThe period of time before the bad logon counter is reset must be configured to 15 minutes.Microsoft Windows 10 Security Technical Implementation Guide V-253297CAT IIWindows 11 account lockout duration must be configured to 15 minutes or greater.Microsoft Windows 11 Security Technical Implementation Guide V-224866CAT IIWindows 2016 account lockout duration must be configured to 15 minutes or greater.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224868CAT IIWindows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205630CAT IIWindows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205795CAT IIWindows Server 2019 account lockout duration must be configured to 15 minutes or greater.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254285CAT IIWindows Server 2022 account lockout duration must be configured to 15 minutes or greater.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278033CAT IIWindows Server 2025 account lockout duration must be configured to 15 minutes or greater.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-254131CAT IINutanix AOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279546CAT IINutanix OS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.Nutanix Acropolis GPOS Security Technical Implementation Guide V-273189CAT IIOkta must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-221690CAT IIThe Oracle Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.Oracle Linux 7 Security Technical Implementation Guide V-221691CAT IIThe Oracle Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.Oracle Linux 7 Security Technical Implementation Guide V-248652CAT IIOL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.Oracle Linux 8 Security Technical Implementation Guide V-248653CAT IIOL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.Oracle Linux 8 Security Technical Implementation Guide V-248654CAT IIOL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 8 Security Technical Implementation Guide V-248655CAT IIOL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 8 Security Technical Implementation Guide V-248656CAT IIOL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 8 Security Technical Implementation Guide V-248657CAT IIOL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 8 Security Technical Implementation Guide V-248658CAT IIOL 8 systems below version 8.2 must ensure account lockouts persist.Oracle Linux 8 Security Technical Implementation Guide V-248659CAT IIOL 8 systems, versions 8.2 and above, must ensure account lockouts persist.Oracle Linux 8 Security Technical Implementation Guide V-248660CAT IIOL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.Oracle Linux 8 Security Technical Implementation Guide V-248661CAT IIOL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.Oracle Linux 8 Security Technical Implementation Guide V-248662CAT IIOL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.Oracle Linux 8 Security Technical Implementation Guide V-248663CAT IIOL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.Oracle Linux 8 Security Technical Implementation Guide V-248664CAT IIOL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 8 Security Technical Implementation Guide V-248665CAT IIOL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 8 Security Technical Implementation Guide V-248667CAT IIOL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.Oracle Linux 8 Security Technical Implementation Guide V-248668CAT IIOL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.Oracle Linux 8 Security Technical Implementation Guide V-248669CAT IIOL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.Oracle Linux 8 Security Technical Implementation Guide V-248670CAT IIOL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.Oracle Linux 8 Security Technical Implementation Guide V-271754CAT IIOL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 9 Security Technical Implementation Guide V-271755CAT IIOL 9 must maintain an account lock until the locked account is released by an administrator.Oracle Linux 9 Security Technical Implementation Guide V-271839CAT IIOL 9 must automatically lock an account when three unsuccessful logon attempts occur.Oracle Linux 9 Security Technical Implementation Guide V-271840CAT IIOL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.Oracle Linux 9 Security Technical Implementation Guide V-228660CAT IIThe Palo Alto Networks security platform must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.Palo Alto Networks NDM Security Technical Implementation Guide V-253523CAT IIAccess to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-281179CAT IIRHEL 10 must enforce a delay of at least four seconds between login prompts following a failed login attempt.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281194CAT IIRHEL 10 must automatically lock an account when three unsuccessful login attempts occur.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281195CAT IIRHEL 10 must automatically lock the root account until the root account is released by an administrator when three unsuccessful login attempts occur during a 15-minute time period.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281196CAT IIRHEL 10 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281197CAT IIRHEL 10 must maintain an account lock until the locked account is released by an administrator.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281198CAT IIRHEL 10 must ensure account lockouts persist.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204427CAT IIThe Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204428CAT IIThe Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-250315CAT IIRHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-250316CAT IIRHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258054CAT IIRHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258055CAT IIRHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258056CAT IIRHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258057CAT IIRHEL 9 must maintain an account lock until the locked account is released by an administrator.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-261364CAT IISLEM 5 must lock an account after three consecutive invalid access attempts.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-768CAT IIThe delay between login prompts following a failed login attempt must be at least 4 seconds.SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide V-251660CAT IISplunk Enterprise must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-254861CAT IITanium must automatically lock accounts and require them be unlocked by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.Tanium 7.x Operating System on TanOS Security Technical Implementation Guide V-252957CAT IITOSS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282360CAT IITOSS 5 must automatically lock an account when three unsuccessful login attempts occur.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-282361CAT IITOSS 5 must automatically lock an account when three unsuccessful login attempts occur during a 15-minute time period.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234491CAT IIThe UEM server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.Unified Endpoint Management Server Security Requirements Guide V-69199CAT IIThe NSX vCenter must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.VMware NSX Manager Security Technical Implementation Guide V-240502CAT IIIThe SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239596CAT IIIThe SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256380CAT IIThe ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-256479CAT IIThe Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256338CAT IIThe vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-256346CAT IIThe vCenter Server must require an administrator to unlock an account locked due to excessive login failures.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258742CAT IIThe ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-258843CAT IIThe Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-258924CAT IIThe vCenter Server must set the interval for counting failed login attempts to at least 15 minutes.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-258933CAT IIThe vCenter Server must require an administrator to unlock an account locked due to excessive login failures.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207448CAT IIThe VMM must automatically lock an account until the locked account is released by an administrator, when three unsuccessful logon attempts in 15 minutes are made.Virtual Machine Manager Security Requirements Guide V-73309CAT IIWindows 2016 account lockout duration must be configured to 15 minutes or greater.Windows Server 2016 Security Technical Implementation Guide V-73309CAT IIWindows 2016 account lockout duration must be configured to 15 minutes or greater.Windows Server 2016 Security Technical Implementation Guide V-93145CAT IIWindows Server 2019 account lockout duration must be configured to 15 minutes or greater.Windows Server 2019 Security Technical Implementation Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide