Windows 11 is getting proper brute force protection this year

windows 11 login

Microsoft’s Windows 11 operating system is getting a new security feature later this year that improves resilience against brute force attacks.

Windows 11 DOWNLOAD

Announced by David Weston, Microsoft’s VP for Enterprise and operating system security, the security feature is already available in recent Windows 11 Insider builds.

Malicious actors use brute force attacks to gain access to computer systems that they don’t have passwords or other means of authentication for.

These attack can be compared to users trying to sign in to a device they lost access to. Often, these users try different passwords to gain access.

Brute force attacks may use password lists to try commonly used passwords and variations.

Local brute force attacks are not common, but attacks that use remote desktop protocol connections are. Microsoft notes that Remote Desktop Protocol brute force attacks are commonly used by human-operated ransomware.

[Human-operated ransomware attacks] are known to take advantage of network configuration weaknesses and vulnerable services to deploy ransomware payloads. And while ransomware is the very visible action taken in these attacks, human operators also deliver other malicious payloads, steal credentials, and access and exfiltrate data from compromised networks.

Microsoft Security Blog

Brute force attacks explained

Brute force attacks attempt to guess account passwords, often by using password lists and variation. Variations may add a number or special character to the end of common words.

The attacks work well thanks to the use of weak passwords. Weak passwords are short, often reused and easy to guess. Leaked password lists, which are readily available on the Internet, contain tens of thousand of weak passwords that criminals may use in brute force attempts.

Computer users may protect their accounts with unique strong passwords. While these are more difficult or even impossible to remember, they do provide a good level of protection against brute force attacks. The use of two-factor authentication protections, if supported by a service or operating system, adds another layer of protection to the account.

Password managers such as KeePass, Last Pass, or Bitwarden store all passwords locally or in the cloud, and help with the generation of secure passwords.

Complex passwords may still be brute forced, but the chance of success becomes slimmer and slimmer because of time constraints and the chance of detection.

Windows 11’s Brute Force protection

image credit: David Weston / Microsoft

One of the best protections against brute force attacks is to limit the number of invalid login attempts. Brute force attacks may check hundreds of passwords each minute if no limitation is in place.

Considering that password lists may contain tens of thousand of entries, or even more, limiting attempts will severely hinder attacks.

Low limits may lock accounts temporarily to prevent further attempts.

Microsoft added new default account lockout policies to mitigate “RDP and other brute force password vectors”. These are available in the latest Windows 11 development builds.

The following Account Lockout Policy settings are configured by default, according to Microsoft:

  • Account lockout duration — Defines the lockout duration of attacked accounts.
  • Account lockout threshold — The number of invalid login attempts before the account is locked temporarily.
  • Allow Administrators account lockout — Whether administrator accounts will be locked as well if too many invalid login attempts are noticed by the system.
  • Reset account lockout counter after — When to reset the invalid logon attempts counter.

Windows 11 administrators find the policies in the Group Policy Editor under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy.

A check of the latest Insider build of Windows 11 confirmed the defaults for these policies.

Note that the policies are available only in development builds of Windows 11. Microsoft has not revealed a target release version yet. The most likely candidate is the upcoming Windows 11 version 22H2 feature update. The feature update is expected in the coming months.

Verdict

The new anti brute force policy improves protections against local and remote brute force attacks. Administrators may modify the defaults, to make them more or less restrictive.

Some Windows users, those who use passwordless authentication, may not require them.

All things considered, the new security policies will improve the security of Windows 11 user accounts.

Author: Jesús Bosque

{ "de-DE": "Ich bin Journalist mit über 30 Jahren Erfahrung in Videospielen und Technologie. Obwohl Videospiele schon immer mein Fachgebiet waren, habe ich begonnen, auch die komplexen Strukturen von Projektmanagement-Tools wie Asana sowie die Automatisierungen mit Make.com und N8N zu entdecken und zu genießen.", "en-US": "I’m a journalist with more than 30 years of experience in video games and technology. Although my specialty has always been video games, I’ve recently started enjoying exploring the intricacies of project-management tools like Asana, as well as automations with Make.com and N8N.", "es-ES": "Soy periodista con más de 30 años de experiencia en videojuegos y tecnología. Aunque mi especialidad siempre ha sido el videojuego, he empezado a disfrutar también de descubrir los laberintos de los programas de project management como Asana y las automatizaciones de make.com y de N8N", "fr-FR": "Je suis journaliste avec plus de 30 ans d’expérience dans le jeu vidéo et la technologie. Bien que ma spécialité ait toujours été le jeu vidéo, j’ai commencé à prendre plaisir à explorer également les méandres des outils de gestion de projet comme Asana, ainsi que les automatisations avec Make.com et N8N.", "it-IT": "Sono un giornalista con oltre 30 anni di esperienza nei videogiochi e nella tecnologia. Anche se la mia specialità è sempre stata il videogame, ho iniziato a divertirmi anche a scoprire i meccanismi degli strumenti di project management come Asana e delle automazioni con Make.com e N8N.", "ja-JP": "", "nl-NL": "Ik ben een journalist met meer dan 30 jaar ervaring in videogames en technologie. Hoewel videogames altijd mijn specialiteit zijn geweest, ben ik ook begonnen te genieten van het verkennen van de ingewikkelde wereld van projectmanagementtools zoals Asana en van automatiseringen met Make.com en N8N.", "pl-PL": "Jestem dziennikarzem z ponad 30-letnim doświadczeniem w grach wideo i technologii. Choć moją specjalizacją zawsze były gry wideo, ostatnio zacząłem również czerpać przyjemność z odkrywania zawiłości narzędzi do zarządzania projektami, takich jak Asana, oraz automatyzacji w Make.com i N8N.", "pt-BR": "Sou jornalista com mais de 30 anos de experiência em videogames e tecnologia. Embora meu foco sempre tenha sido os videogames, recentemente passei a gostar de explorar também os labirintos de ferramentas de gestão de projetos como o Asana e das automações com Make.com e N8N.", "social": { "email": "jesus.bosque@softonic.com", "facebook": "", "twitter": "", "linkedin": "" } }