Threat Watch

Microsoft Institutes Account Lockout for Local Admin Against Brute Force Attacks

Yesterday, as part of its “Patch Tuesday” monthly update cycle, Microsoft included a new option in Windows 10 to allow system administrators to activate a lockout policy against repeated logon attempts on Administrator accounts via local or domain GPO. This policy can be found under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.

The update will be enabled by default on all Windows 11 22H2 machines as well as machines in which the October 2022 Windows cumulative updates were installed before the initial setup when the Security Account Manager (SAM) database that stores the users’ passwords is first instantiated on the new machine. In addition, Microsoft now requires local administrator accounts to use more complex passwords including three out of the four basic character types (lower case, upper case, numbers, and symbols) in order to avoid trivial passwords that threat actors can utilize for privilege escalation and lateral movement.


Brute force attacks on Administrator passwords are a common technique employed by threat actors to perform lateral movement and privilege escalation. A typical procedure is to utilize repeated attempts via RDP connections. The policy option allows for three parameters: number of attempts, time range of attempts, and time for lockout. It is highly recommended to adopt and enable the lockout policy with parameters appropriate to an organization’s risk management framework and environment. Microsoft’s baseline recommendation is 10/10/10: 10 failed attempts within 10 minutes result in a lockout for 10 minutes. Any combination of parameters that effectively rate limit brute forcing attempts would be effective. In today’s modern threat environment with sophisticated social engineering attacks, it is difficult to secure an organization’s network perimeter. A more effective defense-in-depth cybersecurity strategy that focuses on the detection of post-compromise activities such as brute force attacks on Administrator accounts, which would be greatly assisted by the MDR, Threat Hunting, and SOC services offered by Binary Defense, is highly recommended.