Why it matters: New installations of Windows will be more secure thanks to a recently implemented policy against recurring login attempts. Microsoft is at war with brute force attacks, on all supported versions of Windows, not just Windows 11.
As Microsoft strives to implement a more secure Windows ecosystem, new security policies have become available to users and system administrators. The most recent policy concerns so-called brute force attacks, a proven threat against the Windows account management subsystem.
Microsoft says brute force attacks are one of the top three ways Windows machines are targeted today, with malware and malicious scripts trying countless password combinations until accounts are broken. user logins are ultimately compromised. What’s worse, according to Microsoft, is that Windows devices currently don’t allow local administrator lockouts for security reasons.
Without proper protection for local setups, dangerous scenarios where local administrator accounts can be subject to unlimited brute force attacks become realistic. This type of attack can be performed using RDP communication over the Internet, while modern CPUs and GPUs make guessing common or simpler passwords a rather trivial affair.
Microsoft suggests a baseline security policy of 10/10/10, which states that an account will be locked out after 10 failed attempts within 10 minutes and the lockout period will last 10 minutes.
The latest effort to curb brute force attacks comes with the October 2022 Cumulative Update, as a new policy available to secure local machines by enabling local administrator account lockout. The policy can be found under Local Computer PolicyComputer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout Policieswhich, when enabled, will block login attempts after a fixed set of failed attempts.
Microsoft suggests a baseline security policy of 10/10/10, which states that an account will be locked out after 10 failed attempts within 10 minutes and the lockout period will last 10 minutes. The new default lockout policy to mitigate RDP brute force attacks was introduced in July for the latest Windows 11 Insider builds. Now, Lockdown Policy becomes available for all supported versions of Windows with October 2022 Updates installed.
For new machines running Windows 11 version 22H2, the policy will be set by default during system setup. However, existing Windows 10 and Windows 11 machines without cumulative updates already installed will require manual policy settings. Microsoft is also enforcing password complexity on new machines with local administrator accounts: the account password will now need to use at least three of the four basic character types (lowercase, uppercase, numbers, and symbols).