Brute force attacks, which use trial and error tactics to crack passwords and encryption keys, are one of the most common methods that cybercriminals use to attack Windows machines. Without proper security tools, threat actors can have unlimited attempts to guess an account's password. And if the passwords are weak, it wouldn't take long for threat actors to infiltrate an account.
Microsoft is taking action against this by allowing IT admins to configure any Windows system still receiving security updates to automatically block brute force attacks targeting local administrator accounts. Starting with the October 11, 2022 or later Windows cumulative updates, a local policy will be available to enable local administrator account lockouts.
To take advantage of this feature, IT admins can enable "Allow Administrator account lockout" policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies in the Local Group Policy Editor.
Microsoft also suggests enabling the other entries under Account Lockout Policy: Account lockout duration, Account lockout threshold, and Reset Account lockout counter after. The company recommends a 10/10/10 approach: an account would be locked out after 10 failed attempts within 10 minutes. This lockout would then last for 10 minutes, after which the account would be unlocked automatically.
The Administrator account lockout policy is also enabled by default at system setup for new machines on Windows 11 version 22H2 or any new machines that include the October 11, 2022 Windows cumulative updates before the initial setup.
Finally, Microsoft is now enforcing password complexity on new machines if a local administrator account is used. The password must meet at least three out of four requirements: lowercase letters, uppercase letters, numbers, and symbols. According to the software giant, these will help "further protect accounts from being compromised because of a brute force attack."
Via: Bleeping Computer