Microsoft has confirmed that Windows 11 now has its Account Lockout Policy activated by default in a bid to cut down on Remote Desktop Services attacks.
A recent security update included with Windows 11 Insider Preview 22528.1000 and newer came with the feature, which automatically locks down Windows accounts after 10 consecutive failed login attempts, the company explained. The lockout period is 10 minutes.
Microsoft is hoping the move will help put an end to brute-force attacks, in which threat actors try an infinite number of login credential combinations until one works.
Security by default
“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston, Microsoft’s VP for Enterprise and OS Security, tweeted (opens in new tab). “This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome!”
Remote Desktop Services is an immensely popular attack vector among cybercriminals. According to the FBI, anywhere between 70 and 80% of network breaches that result in ransomware attacks start with the Remote Desktop Protocol (RDP). The Covid-19 pandemic only exacerbated the problem, as in 2020, Kaspersky said it observed a huge spike in attacks targeting RDP users.
RDP allows users to easily connect to their work computers at the office while working remotely which has proven quite useful for many during the pandemic. However, if a cybercriminal is able to gain access to RDP on a user’s computer, they would have the same permissions and access to data and folders that they do, allowing them to, for example, install disable the antivirus (opens in new tab) on the compromised endpoint (opens in new tab).
Back then, Kaspersky said organizations around the world have seen increased generic brute-forcing attacks where cybercriminals utilize automated scripts to try countless combinations of passwords and user IDs in an attempt to find working credentials.
Windows 10 users already have this feature, but users need to activate it first, meaning systems with default setups are vulnerable. Administrators interested in turning the feature on can do so in the Group Policy Management Console.
Via: BleepingComputer (opens in new tab)