Microsoft has rolled out a new feature for all supported versions of Windows intended to make brute force attacks against local administrator accounts more difficult. This new feature means Windows devices can now lock out local admins – something Windows devices weren’t allowed to do until yesterday’s Patch Tuesday updates introduced a new set of lockdown policies administrator accounts.
When local administrator accounts cannot be locked down on a Windows device, attackers can attempt to guess the correct account password without limits. Attackers can often quickly guess which ones are simple and short. As Microsoft points out, this attack can be carried out using Remote Desktop Protocol (RDP) over a network. RDP is a feature often targeted by ransomware gangs trying to gain access to systems.
“From Windows updates, it will be possible to enable local administrator account lockout,” Microsoft explains in a support note for KB5020282 spotted by the Bleeping Computer site.
Microsoft tightens the screw
The account lockout feature has four settings: account lockout counter reset, lockout of all administrator accounts, account lockout threshold, and account lockout duration. Microsoft’s baseline recommends that organizations enable administrator account lockout and set the other three settings to 10/10/10, which means the account will be locked out after 10 failed attempts within 10 minutes and the lockout will last 10 minutes. After that, the account is automatically unlocked.
This is the default state for Windows 11, version 22H2, as well as cleanly installed machines that include Windows Cumulative Updates October 11, 2022 prior to setup.
Microsoft notes that a machine that was configured and had the October updates installed later would not be secure by default and would require policy settings to be added explicitly. Administrators can also apply the disabled setting to “Allow administrator account lockout”.
Stronger passwords
On new machines used by a local administrator account, Microsoft will now enforce password complexity, requiring the password to have “at least three of the four basic character types (lowercase, uppercase, numbers, and symbols)”.
Microsoft management points out that Microsoft’s Patch Tuesday restricted the reuse of computer accounts through domain join if the person joining the domain does not have the appropriate rights to the account. This is another part of Microsoft’s effort to secure Windows by default and is related to an Active Directory elevation of privilege flaw – CVE-2022-38042 – addressed in the update. October 11, with hardening changes for domain join.
In September, Microsoft rolled out a default rate limiter to make Windows 11 machines a “very unattractive target” for hackers trying to steal credentials.
Source: ZDNet.com