Windows 11 account lockout policy helps to block brute force attacks

[Jimmy2x]

Why it matters: A recent Windows 11 Insider update is helping users automatically block brute force attacks. The attacks will now trigger an account lockout policy, which will automatically lock down all user and administrator accounts. The policy is designed to lock the accounts after ten failed login attempts, preventing the brute force attack from being executed.

David Weston, Microsoft's VP of Security and Enterprise, announced the news via Twitter earlier this week. According to Weston, the lockout policy is designed to mitigate Remote Desktop Protocol (RDP) and other brute force attack vectors. The new feature is available on Windows 11 Insider Preview builds 22528.1000 and newer. The feature will also be deployed to Windows 10; however, users will have to enable the policy manually.

@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0

— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022

Brute force attacks are executed using scripts and applications designed to generate millions of password combinations in an effort to obtain a user's login credentials. The attack attempts to calculate any and all combinations until a password is discovered. The time required to discover the right combination is directly related to the length and complexity of the password being attempted. The new feature will effectively end Windows 11-based brute force attacks by locking attackers out as fast as they can generate the first ten password attempts.

Despite their age and simplicity, brute force attacks have experienced somewhat of a resurgence due to today's workplace needs. The Covid-19 pandemic forced many employees and companies to adopt and rely on various remote solutions. The shift in workplace connectivity resulted in a sharp increase in brute force attacks, increasing from 150,000 attacks per year to more than one million at the start of the pandemic.

The move by Microsoft is a huge step forward in reducing the effectiveness of one of the oldest and most simplistic vulnerabilities plaguing users around the world. Despite the new policy, users should still exercise good security practices by creating complex passwords using increased character length, varied character case, numbers, and (when allowable) special characters.

Permalink to story.

https://www.techspot.com/news/95401-windows-11-account-lockout-policy-helps-block-brute.html

 

[psycros]

For once Microsoft does something that makes sense. Too bad their also trying to force people to use a Microsoft account to log into their own computers, which nobody with a brain would ever do. For companies it also means Windows 11 is DOA until that policy changes.

 

[Uncle Al]

Ditto!

 

[yRaz]

For once Microsoft does something that makes sense. Too bad their also trying to force people to use a Microsoft account to log into their own computers, which nobody with a brain would ever do. For companies it also means Windows 11 is DOA until that policy changes.

and they probably wont give this update to Windows 10, either. Considering how long brute force attacks have been a problem I'm surprised it took them this long to come up with a solution and then holding us hostage if we want the security update.

Normally I'd shill linux over crap like this but MS has really been making me tired of doing that with everything they're doing. Like, seriously, I don't even have to shill linux anymore. People are starting to willingly to put up with any inconvenience switching cause them because it's "acount this, browser that, we wont give you security updates unless you do this"

Seriously, What are you doing.....

 

[Dimitrios]

For once Microsoft does something that makes sense. Too bad their also trying to force people to use a Microsoft account to log into their own computers, which nobody with a brain would ever do. For companies it also means Windows 11 is DOA until that policy changes.

Sam here.

 

[Syd Wright]

I always create a new user account not associated with my Microsoft account and put all my files on a seperate partition to avoid Microsoft getting access to them.

 

[terzaerian]

I always create a new user account not associated with my Microsoft account and put all my files on a seperate partition to avoid Microsoft getting access to them.

If it's MS phoning the metadata home that you're worried about, that's the telemetry, which is running in the background regardless of where the files are stored or MS account association, IIRC, unless you turn the service off.

If it's the actual file contents you're worried about getting hoovered into the cloud, just turn OneDrive off.

I'm not sure how making another partition would affect either of these issues.

 

[Hooda Thunkett]

Just watch the script kiddies now lock out entire organizations by setting up automated attacks on all admin and user accounts that just try 11 random login attempts, or 11 attempts that are wrong.
Yeah, I know. We just can't have nice things.