In the latest Windows 11 builds, Microsoft enabled the Account Lockout Policy by default, which doubles as a fail-safe against RDP brute-forcing attempts.
The policy automatically locks user accounts for 10 minutes after failing 10 login attempts in a row. It also applies to Administrator accounts.
Brute-force attacks involve inputting a massive number of passwords consecutively, most commonly relying on automation and scripts or extracting them from a dictionary file. As the Account Lockout Policy blocks accounts that input the wrong password 10 times in a row, it could defeat brute-forcing.
Microsoft implemented the changes in its latest Windows 11 builds, starting with Insider Preview 22528.1000.
“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” said Microsoft VP for Enterprise and OS Security David Weston in a tweet yesterday. “This technique is very commonly used in Human Operated Ransomware, and other attacks - this control will make brute forcing much harder,” the announcement continues.
Although Microsoft only enabled the Account Lockout Policy by default on Windows 11, the feature is also available on Windows 10. However, it requires manual activation, which you can do by following these steps:
Edit group policies
Local Computer Policy >Windows Settings > Security Settings > Account Policies > Account Lockout Policy
Account lockout duration
, Account lockout threshold
, and Reset account lockout counter after
settings according to your preferencesThis is not Microsoft’s first attempt to diminish the efficacy of certain types of cyberattacks by disabling features in its products by default. Earlier this year, Microsoft announced disabling Visual Basic for Applications (VBA) macros by default in some of its products. Although the company recently withdrew its decision, it seems to have come around and disabled the macros by default for good.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024