Why it matters: A recent Windows 11 Insider update is helping users automatically block brute force attacks. The attacks will now trigger an account lockout policy, which will automatically lock down all user and administrator accounts. The policy is designed to lock the accounts after ten failed login attempts, preventing the brute force attack from being executed.
David Weston, Microsoft's VP of Security and Enterprise, announced the news via Twitter earlier this week. According to Weston, the lockout policy is designed to mitigate Remote Desktop Protocol (RDP) and other brute force attack vectors. The new feature is available on Windows 11 Insider Preview builds 22528.1000 and newer. The feature will also be deployed to Windows 10; however, users will have to enable the policy manually.
@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022
Brute force attacks are executed using scripts and applications designed to generate millions of password combinations in an effort to obtain a user's login credentials. The attack attempts to calculate any and all combinations until a password is discovered. The time required to discover the right combination is directly related to the length and complexity of the password being attempted. The new feature will effectively end Windows 11-based brute force attacks by locking attackers out as fast as they can generate the first ten password attempts.
Despite their age and simplicity, brute force attacks have experienced somewhat of a resurgence due to today's workplace needs. The Covid-19 pandemic forced many employees and companies to adopt and rely on various remote solutions. The shift in workplace connectivity resulted in a sharp increase in brute force attacks, increasing from 150,000 attacks per year to more than one million at the start of the pandemic.
The move by Microsoft is a huge step forward in reducing the effectiveness of one of the oldest and most simplistic vulnerabilities plaguing users around the world. Despite the new policy, users should still exercise good security practices by creating complex passwords using increased character length, varied character case, numbers, and (when allowable) special characters.