- Remote Desktop Protocol has been a very popular attack vector for a long while for threat actors; Microsoft wants to solve this issue.
- The company has decided to bring account lockout settings to Windows 11, which were already available for older versions.
- The account lockout feature is disabled by default on older versions of Windows but it will be enabled by default in Windows 11.
Remote Desktop Protocol brute-force has been a popular attack vector among threat actors for a while, especially in human-operated ransomware attacks. Microsoft is now taking some actions to prevent this issue. Those measures were announced by David Weston, Vice President, OS Security and Enterprise at Microsoft, on Twitter.
Under Local Group Policy Editor
Weston has announced that the Local Group Policy Editor now has an option to lock out the Remote Desktop Protocol after an amount of failed attempts for logging in and an amount of time. Those values can easily be changed in the Local Group Policy Editor > Computer Configuration > Security Settings > Account Policies > Account Lockout Policy section. By default, Windows will lock the device after ten invalid login attempts for ten minutes.
This feature is already introduced in Windows 10; however, it is not enabled by default. Windows 10 users can go and check their Account Lockout Policy in the Local Group Policy Editor.
@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022
Windows Server RDP brute-force protection
Weston did not mention Windows Server specifically but the RDP brute-force protection feature is already available on the enterprise-focused version of Windows as well. However, it is not turned on by default as it will be for Windows 11. Currently, some system admins choose to disable Remote Desktop Protocol entirely to prevent brute-force attacks. This feature might be enabled by default in future updates for Windows Server as well.