Microsoft Adds Default Protection Against RDP Brute-Force Attacks in Windows 11


Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system in an effort to raise the security baseline to meet the evolving threat landscape.
To that end, the default policy for Windows 11 builds — specifically Insider Preview builds 22528.1000 and newer — will automatically lock accounts for 10 minutes after 10 invalid login attempts.
“Win11 builds now have STANDARD account lockout policies to reduce RDP and other brute-force password vectors,” David Weston, Microsoft’s vice president of OS security and enterprise, said in a series of tweets last week. “This technique is very commonly used in human-operated ransomware and other attacks – this check will make brute force control much more difficult, which is great!”
It’s worth pointing out that while this account lockout setting is already included in Windows 10, it’s not enabled by default.
The feature, following the company’s decision to resume the blocking of Visual Basic Application (VBA) macros for Office documents, is also expected to roll back to older versions of Windows and Windows Server.
Aside from malicious macros, brute-forced RDP access has long been one of the most popular methods used by threat actors to gain unauthorized access to Windows systems.
LockBit, one of the most active ransomware gangs of 2022, is known to often rely on RDP for its first foothold and follow-up activities. Other families that use the same mechanism include Conti, Hive, PYSA, Crysis, SamSam, and Dharma.
In implementing this new threshold, the goal is to significantly reduce the effectiveness of the RDP attack vector and prevent intrusions that rely on guessing passwords and compromised credentials.
“Brute-forcing RDP is the most common method used by threat actors trying to access Windows systems and run malware,” Zscaler noted last year.
“Scan Threat Actors for” […] open RDP ports publicly to perform distributed brute-force attacks. Systems that use weak credentials are easy targets and, once compromised, attackers sell access to the hacked systems on the dark web to other cybercriminals.”
That said, Microsoft warns in its documentation about potential denial-of-service (DoS) attacks that could be orchestrated by abusing the account lockout threshold policy setting.
“A malicious user could programmatically attempt a series of password attacks against all users in the organization,” the company notes. “If the number of retries exceeds the account lockout threshold, the attacker could potentially lock down any account.”
Sign up for the cybersecurity newsletter and get the latest news updates delivered daily straight to your inbox.



Previous articleWhat Are Google Maps Plus Codes And How To Use Them – Online Tech Tips

Garcia Davis is a professional blogger and marketer, who regularly writes about custom packaging, technologies, news and health to help companies understand and adapt new ways to reach and inspire their target audience.

Leave a Comment