One of the most prevalent ways used by hackers to target Windows devices is brute force assaults, which utilize trial and error strategies to crack passwords and encryption keys. Threat actors can guess an account’s password indefinitely if suitable security techniques are not used. And if the passwords are weak, it won’t be long until threat actors get access to an account.
Microsoft is responding by allowing IT administrators to enable any Windows machine that is still getting security updates to automatically prohibit brute force assaults on local administrator accounts. A local policy will be available to allow local administrator account lockouts beginning with the October 11, 2022 or later Windows cumulative updates.
To take advantage of this feature, IT admins can enable “Allow Administrator account lockout” policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies in the Local Group Policy Editor.
Microsoft also suggests enabling the other entries under Account Lockout Policy: Account lockout duration, Account lockout threshold, and Reset Account lockout counter after. The company recommends a 10/10/10 approach: an account would be locked out after 10 failed attempts within 10 minutes. This lockout would then last for 10 minutes, after which the account would be unlocked automatically.
The Administrator account lockout policy is also enabled by default at system setup for new machines on Windows 11 version 22H2 or any new machines that include the October 11, 2022 Windows cumulative updates before the initial setup.
Finally, Microsoft is now enforcing password complexity on new machines if a local administrator account is used. The password must meet at least three out of four requirements: lowercase letters, uppercase letters, numbers, and symbols. According to the software giant, these will help “further protect accounts from being compromised because of a brute force attack.”
The Administrator account lockout policy is also enabled by default at system setup for new machines on Windows 11 version 22H2 or any new machines that include the October 11, 2022 Windows cumulative updates before the initial setup.
Finally, Microsoft is now enforcing password complexity on new machines if a local administrator account is used. The password must meet at least three out of four requirements: lowercase letters, uppercase letters, numbers, and symbols. According to the software giant, these will help “further protect accounts from being compromised because of a brute force attack.”