Microsoft is introducing a new feature in Windows that will lock out a local admin account after several attempted brute force attacks.
According to the Redmond, Wash. IT giant, Windows devices did not allow local admin accounts to be locked out despite brute force attacks being one of the top three ways that Windows devices are attacked. Without proper network segmentation or an intrusion detection service, local admin accounts could be subjected to unlimited brute force attacks.
That could be done using RDP over the network, and the time it takes to perform attacks against passwords is becoming trivial with modern computing power, the company says.
However, beginning with the Oct. 11 or later cumulative updates, Microsoft will allow organizations to enable a policy to lock out admin accounts.
The Windows admin account lockout policy can be found under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
For existing machines, setting that value to “Enabled” on existing machines using a local or domain group policy object (GPO) will enable the lockout ability. Microsoft also recommends setting the other three policies under account lockout policies to 10/10/10.
“This means an account would be locked out after 10 failed attempts within 10 minutes and the lockout would last for 10 minutes, after which the account would be unlocked automatically,” reads a Microsoft support document.
For new machines on Windows 11 22h2 or any machines that include the Oct. 11 cumulative updates before initial setup, the Windows admin account lockout settings will be set by default at system setup, the company says.
“This occurs when the SAM database is first instantiated on a new machine,” the support document says. “So, if a new machine was set up and then had the October updates installed later, it will not be secure by default and will require the policy settings above.”
Admins who do not want the policies applied to a computer can set the local policy or create a group policy to “disabled.”
In another move to help prevent brute force attacks, the company is also enforcing password complexity on new machines if a local admin account is used. This too can be disabled in Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy.
Leave a Reply