Microsoft Implements Brute Force Attack Protection for All Windows Versions
As of October 11th, All Versions of Windows Can Automatically Block Admin Brute Force Attacks.
Last updated on October 12, 2022
Yesterday, Microsoft announced that IT administrators can now set up group policies to automatically prevent brute force attacks against local administrator accounts on any Windows system that is still receiving security updates.
Previously, the feature was only available for Windows 11, as announced by David Weston, Microsoft’s VP of Enterprise and OS Security in July.
Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome!
As a result, according to Bleeping Computer, on Windows 11 systems where the policy is enabled, user accounts, including Administrator accounts – are automatically locked for 10 minutes after 10 unsuccessful sign-in attempts in 10 minutes.
The New Policy Is Available on All Windows Systems
After Weston’s announcement in July, Microsoft confirmed yesterday that any Windows system with the October 2022 cumulative updates installed now supports the same account lockout policy.
In an effort to prevent further brute force attacks/attempts, we are implementing account lockouts for Administrator accounts. Beginning with the October 11, 2022 or later Windows cumulative updates, a local policy will be available to enable local administrator account lockouts.
Administrators can enable this additional defense against brute force attacks by accessing: Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
This group policy will be enabled by default on all new machines running Windows 11 22H2 or where the October 2022 Windows cumulative updates were installed prior to the initial setup when the Security Account Manager (SAM) database that stores the users’ passwords is first instantiated on the new machine.
Microsoft also declared that local administrator accounts must now use strong passwords that ‘must have at least three of the four basic character types (lower case, upper case, digits, and symbols)’. This choice was made as an additional defense against brute force attacks, which are simple to execute on systems equipped with contemporary CPUs and GPUs if passwords are not lengthy or sophisticated enough.
Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.