Recent Windows 11 builds have shipped with the Account Lockout Policy enabled by default, according to a tweet by Microsoft’s VP for Enterprise and OS Security. This setting, enabled in the Insider Preview 22528.1000 and newer builds, will help mitigate brute force RDP attempts and other brute force password vectors prevalent in malicious attacks against organizations.
The new default lockout settings found in this build are as follows: 10 invalid logon attempts to trigger a lockout, a 10-minute lockout duration, and 10 minutes until the lockout counter is reset for an account. This will help prevent Remote Desktop Services brute force attempts used by threat actors to gain unauthorized access to systems. According to the FBI, RDP breaches are responsible for roughly 70-80% of all network breaches leading to ransomware attacks.
This recent change is part of Microsoft’s attempt at closing entry vectors used by ransomware operators to breach Windows networks and systems. These changes also include auto-blocking Office macros in downloaded documents and enforcing MFA in Azure AD.
While these settings are being enabled by default in Windows 11, they are still disabled by default in older operating systems. Due to this, it is highly recommended to backport these settings to other Windows versions, such as Windows 10. This can be done by using Group Policy and setting the Account Lockout Policy to similar settings. Likewise, it is highly recommended for organizations to review their Internet-exposed devices to determine if any unknown systems have RDP accessible from external networks. RDP should be restricted from being accessible via the Internet unless absolutely required, as this provides a large attack surface for threat actors to breach a network. For any systems that require RDP accessible to the Internet, enforcing a strong password policy and frequently rotating passwords is recommended, to make it as difficult as possible for threat actors to gain unauthorized access.