Monday, November 28, 2022
HomeMicrosoftWindows: Has Microsoft found the secret weapon against password hacking?

Windows: Has Microsoft found the secret weapon against password hacking?

Microsoft has rolled out a new feature to all supported versions of Windows intended to make brute force attacks against local administrator accounts more difficult. This new feature means Windows devices can now lock out local administrators – something Windows devices weren’t allowed to do until yesterday’s Patch Tuesday updates introduced a new set of administrator accounts for lockdown policies.

When local administrator accounts cannot be locked down on a Windows device, attackers can attempt to guess the correct account password without restriction. Attackers can often quickly guess which ones are simple and short. As Microsoft points out, this attack can be performed using Remote Desktop Protocol (RDP) over a network. RDP is a feature often targeted by ransomware gangs trying to gain access to systems.

“Starting with Windows Updates, it will be possible to enable local administrator account lockout,” Microsoft explains in a support note for KB5020282, which was discovered by the Bleeping Computer website.

Microsoft tightens the screw

The account lockout feature has four settings: reset account lockout counter, lock all admin accounts, account lockout threshold, and account lockout duration. Microsoft’s baseline recommends that organizations enable administrator account lockout and set the other three settings to 10/10/10, which means the account will be locked out after 10 failed attempts within 10 minutes and the lockout will last 10 minutes. The account is then automatically unlocked.

This is the default state for Windows 11, version 22H2, as well as cleanly installed machines that include the Windows 11 October 2022 cumulative updates before setup.

Microsoft notes that a machine that was configured and had the October updates installed later would not be secure by default and would require the policy settings to be explicitly added. Administrators can also use the disabled setting for “Allow administrator account lockout”.

Stronger passwords

On new machines used by a local administrator account, Microsoft will now enforce password complexity, requiring the password to have “at least three of the four basic character types (lowercase, uppercase, numbers, and symbols)”.

Microsoft management points out that Microsoft Patch Tuesday restricted the reuse of computer accounts through domain registration if the person joining the domain does not have the appropriate rights to the account. This is another part of Microsoft’s efforts to secure Windows by default and is related to an Active Directory escalation of privilege flaw – CVE-2022-38042 – addressed in the October 11 update with hardening changes for domain join.

In September, Microsoft rolled out a default rate limiter to make Windows 11 machines a “very unattractive target” for hackers trying to steal credentials.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments