Safeguarding the windows systems against brute force attacks, Microsoft has enabled automatic lockout of user accounts (including the admin) after a certain number of invalid tries in a certain span.
This would make the attack surface harder for the hacker, who aims to steal the system password using a brute force attack. Also, Microsoft wants users to use strong passwords for their local accounts for better safety.
Automatic Lockout of Accounts in Windows
Brute forcing is one of the most common attacking vectors for obtaining account passwords, where hackers use a preset list of possible passwords and feed them one by one against the login fields to gain access.
As it’s often used by hackers against Windows systems, Microsoft came up with a solution – to automatically lock out the user accounts (including admins) for 10 minutes after 10 failed sign-in attempts within 10 minutes.
This was first introduced by default in Windows 11 in July this year, where Microsoft’s VP for Enterprise and OS Security, David Weston, said: “This technique is very commonly used in Human Operated Ransomware, and other attacks – this control will make brute forcing much harder which is awesome!”
@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022
Since it’s useful, the company is now enabling it on all the Windows machines that have the October 2022 cumulative update installed. Admins of either Windows 11 22H2 or the other Windows versions (having the October 2022 update installed) can find the new policy of “Allow Administrator account lockout” under the Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
Aside from this, Microsoft has also mandated the use of strong and complex passwords for the local administrator accounts – which is to have “at least three of the four basic character types (lower case, upper case, numbers, and symbols).”
These new rules are some of the many the company is following to safeguard its users from the growing cyberattacks in various forms. Others include the auto-blocking of Office macros in downloaded documents and multi-factor authentication (MFA) in Azure AD have recently been enforced.