- In an effort to prevent further brute force attacks/attempts, Microsoft is implementing account lockouts for Administrator accounts.
- Microsoft is also enforcing password complexity on new machines if a local administrator account is used.
- This policy can be found under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
Microsoft is implementing account lockouts for administrator accounts on all Windows versions. The announcement of this change was made in late July this year and was implemented in the Insider versions. Microsoft stated that brute force attacks are one of the top three methods used against Windows machines. However, Windows was lacking a feature that enables locking out admin accounts. Thus, local administrator accounts were subject to unlimited brute force attacks, which can be done using RDP over the network.
Account lockout
Starting from October 11, Microsoft is implementing account lockouts for administrator accounts to prevent brute force attempts. The new policy can be found under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
Once this value is set to Enabled on existing machines, it will enable the ability to lock out administrator accounts. Microsoft is recommending administrators set the other three policies to 10/10/10. This means an account would be locked out after 10 failed attempts within 10 minutes and the lockout would last for 10 minutes. Then the account would be unlocked automatically.
@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022
Microsoft is also enforcing password complexity on new machines if a local administrator account is used. The password must have at least three of the four basic character types such as lower case, upper case, numbers, and symbols. It will also protect accounts against brute force attacks. Users who prefer less complex passwords can still set the appropriate password policies in Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. Microsoft also said,
« For new machines on Windows 11, version 22H2, or any new machines that include the October 11, 2022 Windows cumulative updates before the initial setup, these settings will be set by default at system setup. This occurs when the SAM database is first instantiated on a new machine. So, if a new machine was set up and then had the October updates installed later, it will not be secure by default and will require the policy settings above. If you do not want these policies to apply to your new computer, you can set the local policy above or create a group policy to apply the Disabled setting for “Allow Administrator account lockout.” »