Next Windows 11 delays brute force attacks by default
Microsoft plans to roll out new default settings in the next major Windows 11 release that delay brute force attacks against accounts on the system.
Brute-force attacks are commonly used by threat actors to gain access to systems. Especially Remote Desktop Protocol attacks are frequently used to gain remote access to Windows machines. Microsoft notes that human-operated ransomware attacks use Remote Desktop Protocol brute force attacks frequently to break into accounts.
One of the main shortcomings of Windows is that there is no default limitation that delays brute force attacks. While organizations may implement additional protections, e.g., by going passwordless or enabling two-factor authentication, most Windows systems are not protected against attacks.
Launched in the latest Windows 11 Insider builds and coming soon to all Windows 11 devices is a set of new account lockout policies that improve brute forcing protection on the operating system.
The protections delay brute force attacks by locking accounts after a number of failed login attempts. The default configuration locks accounts after 10 invalid login attempts for 10 minutes. The protection is available for all account types, including administrator accounts, by default.
Windows 11 administrators may change the default configuration using the Group Policy Editor:
- Use Windows-R to open the run box.
- Type gpedit.msc and hit the Enter-key to load the Group Policy Editor.
- Navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy.
- A double-click on any of the four listed policies displays options to change the default values.
The four policies in question are:
- Account lockout duration -- defines the time that the account will be locked if too many invalid login attempts are logged by the Windows 11 system.
- Account lockout threshold -- defines the number of failed login attempts that Windows uses to determine whether the account should be locked.
- Allow Administrator account lockout -- whether admin accounts should be locked as well.
- Reset account lockout counter after -- when the lockout counter is reset.
Closing Words
Microsoft plans to launch the new brute force protections in the next feature update, which is scheduled for a release in the coming months. The new defaults should limit human-operated ransomware attacks that try to brute force their way into Windows PCs significantly.
Now You: what is your take on this new protection?
In before “hackers exploit account lockdown bug” …
Thank you Martin.
I’ve used every version of Windows since the beginning (plus DOS before that, alongside Unix) and had no idea this option had become available. Old dogs do like learning new tricks (currently using Linux Mint in tandem with Win10). Much obliged!
Regards
Lawrence (NZ).
Everybody knows this is just another trick to force you into using a Microsoft account. There will be cases where some toddler has banged on the keyboard enough times and there will be a nice popup for mommy saying “REGISTER A MICROSOFT ACCOUNT TO UNLOCK YOUR COMPUTER”
It’s sad not so many people realized that since Windows 7, it’s just Windows 7 + bloatwares and no new features, thanks for your money.
It’s not that sad when you get newer versions of Windows for free. I agree with you that Windows 7 was the apogee of the Windows OS and every subsequent version has been some form of degradation, but when you don’t have to pay a dime to use the latest, what’s to complain about?
There is always the free Linux you can move to if you are so upset.
Newer versions of Windows are not free…
https://www.ghacks.net/2022/07/23/you-may-now-buy-windows-11-licenses-directly-from-microsoft-but-shouldnt/
Upgrading is free (iirc) but this myth of Windows being free seriously needs to die, it’s been debunked so many times and saying it’s free is highly misleading, i mean they’re literally charging people $139 for an OS that’s heavily geared towards advertising their own services and/or anyone who’s willing to bung cash their way.
And to add insult to injury they’re making people pay $139 for the privilege of being beta testers.
@Allwynd
Actually the best Windows in terms of engineering is / was Windows 8(.1)…
It had the lowest RAM usage of all (least amount of processes as well), fastest startup times, full SSD support, no forced updates yet, no ads yet etc.
Windows 7 and Windows 10, Windows 11 are all more bloated and heavy than that and / or have other issues. Other than the Metro screen Windows 8 was phenomenal, and the Metro screen is only an issue if you don’t know how to install Classic Shell.
Windows 7 was not much better than later builds of Windows Vista, Windows Vista SP2 is comparable to Windows 7 actually.
@Iron Heart,
Windows 8 marked the inception of 3rd party start menu replacements and other 3rd party UI enhancements that weren’t aimed at enriching the experience, but restoring it to the state it was before. If you need 3rd party software to restore functionality, that’s already a big drop in rating.
Maybe if Windows 8 came with an UI identical to Windwos 7, I would have agreed with you, but the bad UI drops it really low.
Lowest RAM usage doesn’t mean anything in terms of performance. And in times where IT professionals roll 32-64GB on their workstation or even daily driver, it is a massive fallacy to equate this to any metric proving the quality of an OS. The constant switching among user applications, several of which may be accessing large amounts of data, reduces the efficiency of LRU-style caching; aggressive prefetching allows each application to perform larger, less frequent I/O transfers, exploiting the disk performance advances. As memory sizes and disk bandwidths continue to increase, and as RAM hungry browsers as Chrome continue to proliferate, the performance benefit of aggressive prefetching will surpass that of caching policies.
The only new policy here is “Allow Administrator account lockout” – the other settings have always been there since ages ago; it’s just that they weren’t enabled by default…
Are they retarded? Why whould you want to even temporary lock an account? They should block source IP, or implement longer time it takes for password verification like it is already when you try to guess password at login screen.