Microsoft is currently taking steps to prevent brute-force attacks against Remote Desktop Protocol (RDP) in Windows 11 in order to increase the security baseline in line with the changing threat landscape.
To that end, the default policy for Windows 11 builds, specifically Insider Preview builds 22528.1000 and later, automatically locks out accounts for 10 minutes after 10 invalid login attempts.
“Windows 11 builds now have a default account lockout policy to mitigate RDP and other password brute force vectors,” David Weston, Microsoft vice president of OS security and company security, said in a series of tweets last week. “This technique is very commonly used in human-controlled ransomware and other attacks – this control will make brute force much more difficult, which is great!”
It’s worth noting that while this account lockout setting is already built into Windows 10, it’s not enabled by default.
This feature, which follows the company’s decision to restore Visual Basic Application (VBA) macro blocking for Office documents, is also expected to be backported to earlier versions of Windows and Windows Server.
Apart from malicious macros, forced RDP access has long been one of the most popular methods used by hackers to gain unauthorized access to Windows systems.
LockBit, one of the most active ransomware groups in 2022, is known to frequently rely on Windows 11 RDP to gain a foothold and continue its operations. Other families using the same mechanism are Conti, Hive, PYSA, Crysis, SamSam and Dharma.
The goal of implementing this new threshold is to significantly reduce the effectiveness of the RDP attack vector and prevent intrusions based on password forgery and credential compromise.
“RDP protection is the most common method used by hackers trying to access Windows 11 systems and run malware,” Zscaler noted last year.
“Threat actors are looking for […] publicly open RDP ports for distributed brute force attacks. Systems using weak credentials are easy targets, and once compromised, attackers sell access to compromised systems on the dark web to other cybercriminals.”
However, Microsoft in its documentation warns of potential denial of service (DoS) attacks that can be orchestrated by abusing the account lockout threshold policy setting.
“An attacker could programmatically attempt a series of attacks on the passwords of all users in an organization,” the company notes. “If the number of attempts exceeds the account lockout threshold, an attacker could potentially lock out all accounts. »