Microsoft brings account brute-force protections to older versions of Windows

Martin Brinkmann
Oct 13, 2022
Updated • Oct 14, 2022
Windows
|
11

Microsoft unveiled plans in July 2022 to roll out brute force protection against local accounts in the next version of Windows 11 and Windows Server 2022. The added protection is now enabled on new machines running Windows 11 and on "any new machines that include the October 11, 2022 Windows cumulative updates before the initial setup".

windows local account brute force protection

In other words, local accounts on new machines are protected automatically against brute force attacks. Local accounts on old machines are not protected, even if the October security updates are installed on these machines. Administrators may enable these protections, provided that they have access to the Group Policy editor.

Account Lockout Policies

ADVERTISEMENT

The following account local policies may be configured on any supported version of Windows, provided that the October 2022 security updates are installed on the device.

  • Account lockout duration: determines the duration in minutes that a locked account remains locked before it is automatically unlocked. A duration of 0 keeps the account locked until an administrator unlocks it manually.
  • Account lockout threshold: determines the number of failed login attempts required before an account gets locked automatically. A value of 0 disables the automatic lockout protection.
  • Allow Administrator account lockout: determines whether administrator accounts may be locked out if too many invalid login attempts are recorded by the system.
  • Reset account lockout counter after: determines the number of minutes that need to pass before the account lock counter is reset to 0.

Here is how these policies are configured or disabled, depending on whether they are active by default or not.

  1. Select Start, type gpedit.msc and select the Group Policy editor result.
  2. Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
  3. There you find all four policies.
  4. Double-click on a policy to configure it. All that is required is to change the default values to either enable it or disable it.

Closing words

Some systems benefit from local brute force protections, especially if they are accessible by others. It is easy enough to configure the protections on older versions of Windows to reduce the chance of successful brute force attacks.

Now You: how do you protect your devices?

Summary
Microsoft brings account brute-force protections to older versions of Windows
Article Name
Microsoft brings account brute-force protections to older versions of Windows
Description
Find out how to protect any supported version of Windows against local Windows account brute force attacks.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Anonymous said on October 13, 2022 at 7:25 pm
    Reply

    Pls define “older Versions”! The most mportant info here left unexplained. *sigh*

  2. John G. said on October 13, 2022 at 8:21 pm
    Reply

    All accounts should be protected against all type of problems, included brute force, by default. Thanks for the article. :]

    1. Timmy said on October 13, 2022 at 9:08 pm
      Reply

      There’s already a similar anti-bruteforce feature in Windows by default, because entering passwords takes longer once you fail 5 times or so.

  3. Anonymous said on October 13, 2022 at 8:39 pm
    Reply

    Something else in the ‘go wrong at the worst possible time’ category. Just like Bitlocker that is not supposed to be available on my machine but locked me out in any case.

  4. learntousewindows said on October 13, 2022 at 10:58 pm
    Reply

    You dont need to restart the computer to apply policy update changes you fire up powershell in admin mode and run gpupdate or gpupdate /force.

    Done, all is applied.

  5. yanta said on October 14, 2022 at 1:03 am
    Reply

    Hasn’t this been available for ages?
    Looking at my 1809 installation I see 3 of the above 4 policies in secpol.msc.

    1. Anonymous said on October 15, 2022 at 1:42 am
      Reply

      The account locking, as far as I know it’s been available since XP. Based on personal experience.
      Maybe they just add options to modify that.

  6. Tachy said on October 14, 2022 at 2:45 am
    Reply

    Q: How do you protect your devices?
    A: Knowledge.

    Note: This is something that too many people lack. We don’t need microsoft to add “features” we need to educate people so they stop doing stupid shit.

  7. Benjamin said on October 14, 2022 at 9:25 am
    Reply

    What with all my Firefox logon credentials which once only Firefox knew about and suddenly it needs a operating system confirmation to access said applications passwords. Now, who is controlling which information and protection for whom exactly? My impression is, that MS controls access to this information in another application not me…

  8. userpassadmin said on October 14, 2022 at 11:17 am
    Reply

    What does “older versions” mean, my Windows 7 will have any benefit from this news ?

  9. anonymous-2 said on October 14, 2022 at 12:01 pm
    Reply

    This article is incorrect where it states you have to restart windows to apply updates

    After manipulating/changing any group policies open admin powershell and execute gpupdate or gpupdate /force

    And presto it takes immediate effect.

    At very very very best a logout maybe necessary for this particular group policy, but I doubt this very much.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.