Configure dictionary attack threshold
Determines the number of allowed Trusted Platform Module authentication attempts, before dictionary attack defending measures are taken.
Enabled: Specify how many authentication attempts should be allowed for keys (e.g. used for Security Platform User authentication), owner, and for the access of sealed data (e.g. used by Windows BitLocker in combination with PIN), before dictionary attack defending measures are taken.
Disabled: The dictionary attack threshold cannot be configured. The default values are in effect.
Default value: Enabled. Owner: 3 attempts. Key: 5 attempts. Data: 10 attempts.
This policy is only relevant for Security Platforms with an Infineon Trusted Platform Module 1.2. It needs to be set before Security Platform Initialization. Subsequent changes of this policy will only be effective after the next defense level reset.
If this policy is not configured, then the same settings can be set individually for each platform in stand-alone mode via Initialization Wizard. In this case no defense level reset is needed for the settings to be effective.
Note that all Security Platform users share the number of allowed user authentication attempts. Consider this if there are multiple parallel users on a system (e.g. using Fast User Switching).
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Infineon\TPM Software |
| Value Name | DictionaryAttackThreshold_Pol |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
Key authentication
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Infineon\TPM Software |
| Value Name | DictionaryAttackThresholdUser |
| Value Type | REG_DWORD |
| Default Value | 5 |
| Min Value | 1 |
| Max Value | 10 |
Owner authentication
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Infineon\TPM Software |
| Value Name | DictionaryAttackThresholdOwner |
| Value Type | REG_DWORD |
| Default Value | 3 |
| Min Value | 1 |
| Max Value | 10 |
Data authentication
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Infineon\TPM Software |
| Value Name | DictionaryAttackThresholdData |
| Value Type | REG_DWORD |
| Default Value | 10 |
| Min Value | 1 |
| Max Value | 10 |
ifxsppol.admx
- Security Platform
- All Versions Settings
- Allow administrators to retrieve the SRK public key remotely
- Allow administrators to take ownership remotely
- Allow administrators to use platform keys remotely
- Allow reading of unprotected TPM NV memory
- Configure dictionary attack threshold
- Enable stringent password field security
- Enhanced Authentication providers
- Prepare TPM enrollment
- Purge keys when entering energy-saving states
- Previous Product Versions Settings
- Stand-alone Computer Version Settings
- Owner Password
- Allow platform enrollment
- Backup archive location
- Enforce configuration of Backup including Emergency Recovery
- Enforce configuration of Password Reset
- Enforce immediate System Backup
- Use public key of Emergency Recovery Token from archive
- Use public key of Password Reset Token from archive
- All Versions Settings
- Security Platform
- All Versions Settings
- Basic User Passphrase
- Basic User Password
- Allow EFS configuration
- Allow key import for User
- Allow PSD configuration
- Allow secure e-mail configuration
- Allow user to temporarily disable the Security Platform Features
- Control Quick Initialization
- Creation of non-migratable Basic User Key
- EFS certificate expiration warning occurrence
- EFS certificate type and enrollment
- EFS self-signed certificates validity period
- Enable caching of Basic User Password
- Enforce enabling of Password Reset
- Enforce Enhanced Authentication
- Enforce strong private key protection for MS-CAPI signing keys
- File location for Personal Secure Drive
- Minimum free space after PSD creation
- URL to start from wizard for certificate enrollment
- Stand-alone Computer Version Settings
- All Versions Settings