Microsoft extends brute-force attack protections to local Windows accounts

New Windows installations will be more secure thanks to a recently implemented policy against recurring login attempts. Microsoft is waging war against brute force attacks, on all supported Windows versions and not just Windows 11.

As Microsoft works to implement a more secure Windows ecosystem, new security policies have become available for users and system administrators. The most recent policy concerns so called brute-force attacks, a tried and tested threat against the Windows account management subsystem.

Microsoft says brute force attacks are one of the top three ways Windows machines are being targeted today, with malware and malicious scripts trying countless password combinations until user login accounts are finally compromised. The worst of it, Microsoft states, is that Windows devices currently do not allow local administrators to be locked out for security reasons.

With no proper protection for local setups, dangerous scenarios where local administrator accounts can be subjected to unlimited brute-force attacks become realistic. This kind of attack can be done using RDP communication over the internet, while modern CPUs and GPUs make guessing common or simpler passwords a rather trivial affair.

Microsoft suggests a baseline security policy of 10/10/10, which means an account will be locked out after 10 failed attempts within 10 minutes and the lockout period would last for 10 minutes.

The latest effort to curb brute-force attacks comes alongside the October 2022 cumulative update, as a new policy available to secure local machines by enabling local administrator account lockouts. The policy can be found under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies, that when enabled will block login attempts after a fixed set of failed attempts.

Microsoft suggests a baseline security policy of 10/10/10, which means an account will be locked out after 10 failed attempts within 10 minutes and the lockout period would last for 10 minutes. The new default lockout policy for mitigating RDP brute-force attacks was introduced in July for the latest Windows 11 Insider builds. Now the lockout policy is becoming available for all supported Windows versions with the October 2022 updates installed.

For new machines running Windows 11 version 22H2, the policy will be set by default at system setup. Existing Windows 10 and Windows 11 machines without the cumulative updates already installed, however, will require manual policy setting. Microsoft is also enforcing password complexity on new machines with local administrator accounts: the account password will now need to use at least three of the four basic character types (lower case, upper case, numbers and symbols).