Microsoft announced today that IT admins can now configure any Windows system still receiving security updates to automatically block brute force attacks targeting local administrator accounts via a group policy.
Microsoft added this policy as they say Windows does not currently apply Account Lockout policies to "local administrators," allowing threat actors to repeatedly brute force passwords for these accounts.
"However, Windows devices currently do not allow local administrators to be locked out." - Microsoft.
The announcement comes after David Weston, Microsoft's VP for Enterprise and OS Security, said in July that the same Windows group policy is now enabled by default on the latest Windows 11 builds.
As a result, Windows 11 systems where the policy is toggled on automatically lock user accounts (including Administrator accounts) for 10 minutes after 10 failed sign-in attempts within 10 minutes.
"Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors," he tweeted on July 21st.
"This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome!"
Today, almost three months after Weston's announcement, Microsoft revealed that the same account lockout policy is now available on any Windows system where the October 2022 cumulative updates are installed.
"In an effort to prevent further brute force attacks/attempts, we are implementing account lockouts for Administrator accounts," Microsoft said today.
"Beginning with the October 11, 2022 or later Windows cumulative updates, a local policy will be available to enable local administrator account lockouts."
Admins who want to toggle on this additional defense against brute force attacks can find the "Allow Administrator account lockout" policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
This group policy will be enabled by default on all new machines running Windows 11 22H2 or those where the October 2022 Windows cumulative updates were installed before the initial setup when the Security Account Manager (SAM) database that stores the users' passwords is first instantiated on the new machine.
Microsoft also announced today that it now requires local administrator accounts to use complex passwords that "must have at least three of the four basic character types (lower case, upper case, numbers, and symbols)."
This decision was taken as an extra defense against brute force attacks which are trivial to pull off using systems with modern CPUs and GPUs if the passwords are not long or complex enough.
Redmond is slowly shrinking the attack surface abused by ransomware operators to breach Windows systems, as shown by its recent decisions to also auto-block Office macros in downloaded documents and enforce multi-factor authentication (MFA) in Azure AD.
Update October 12, 10:24 EDT: Made it clearer that Microsoft says Windows didn’t apply lockout policies to “local administrators” before this change.
Comments
MisterVVV - 1 year ago
Hi!
Can't find KB5020282 anywhere.
I have all the latest Updates but the above KB is not there.
Can't find it on the Microsoft catalog either.
Have Windows 11 22H2
Someone?.....
//me
serghei - 1 year ago
The October 2022 cumulative updates will add the "Allow Administrator account lockout" group policy. You don't need to install a separate update.
KB5020282 is a support document, not an update.
MisterVVV - 1 year ago
Thanks serghei!
I can see the Account Lockout Policy in my Local Group Policy Editor but all settings about it are greyed out
nicbawt - 1 year ago
If the 'Account lockout threshold' policy is set to 0, the other policy settings will be greyed out and disabled. Changing the threshold to anything other than 0 will enable the rest and you should be prompted when doing so.
MisterVVV - 1 year ago
Thanks nicbawt!
It worked.
pj20783 - 1 year ago
In my opinion this feature is quite not yet there. They should block the possibly malicious IP address the invalid login came from, and not the actual user account
MisterVVV - 1 year ago
God morning!
Am I wrong or isn't this Policy for the built-in admin account which is disabled by default. If so, what security does it provide?
acoppola - 1 year ago
Hi MisterVVV,
Nope, it's a local policy that applies to all local accounts.
Icepop33 - 1 year ago
Account lockout policies are always tricky business. The initial threshold sounds reasonable, but if this is designed to block remote attacks, and not just "in-the-chair" brute guessing attacks, this would seem to open up a pretty effective DoS attack vector.
j1d6v6n9s1k - 1 year ago
I would implement a LAPS type of solution with long password (30+ characters) and have it set to rotate every 4 hours. No need to implement a lockout policy on local accounts. LAPS for Azure AD / SEVA Community Edition is free and should suffice in most cases