As part of the most recent releases of the Windows 11 operating system, Microsoft is now taking measures to thwart Remote Desktop Protocol (RDP) brute-force attacks in an effort to raise the security bar in response to the growing threat landscape. The default setting for Windows 11 builds, namely Insider Preview versions 22528.1000 and newer, locks accounts automatically after 10 unsuccessful sign-in attempts for ten minutes.
“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute-force password vectors,” said David Weston, Microsoft’s vice president for OS security and enterprise. “This technique is very commonly used in Human Operated Ransomware and other attacks — this control will make brute forcing much harder which is awesome!”
It’s important to note that although Windows 10 currently includes this account lockout feature, it is not turned on by default. Additionally anticipated to be backported to earlier versions of Office is the capability, which comes after the decision to continue restricting Visual Basic Application (VBA) macros for Office documents.
Apart from malicious macros, brute-forced RDP access has long been one of the most popular methods employed by threat actors to enter Windows computers without authorization. One of the busiest ransomware groups in 2022, LockBit, is believed to frequently rely on RDP for its initial foothold and subsequent operations. Conti, Hive, Crysis PYSA, SamSam, and Dharma are other families that have been seen employing a similar approach. The goal of establishing this new threshold is to drastically reduce the potency of the RDP attack vector and prevent attacks that rely on brute-force password guessing and stolen credentials.
“Brute-forcing RDP is the most common method used by threat actors attempting to gain access to Windows systems and execute malware,” noted Zscaler. “Threat actors scan for […] publicly open RDP ports to conduct distributed brute-force attacks. Systems that use weak credentials are easy targets, and, once compromised, attackers sell access to the hacked systems on the dark web to other cybercriminals.”
According to Microsoft’s documentation, the account lockout threshold policy option may be abused to launch denial-of-service (DoS) attacks. The company warns that a hostile person might automate a series of password attacks against every user in the organization. The attacker could lock all accounts if the number of tries exceeds the threshold value for account lockout.