It appears the anti-brute-force mechanism Microsoft implemented in Windows 11 less than a month ago is working, as the company has decided to expand it to all other supported versions of the operating system.
In an announcement, Microsoft explained that IT admins can now configure their systems to automatically block these types of attacks against local admin accounts through a group policy.
“In an effort to prevent further brute force attacks/attempts, we are implementing account lockouts for Administrator accounts,” Microsoft said. “Beginning with the October 11, 2022 or later Windows cumulative updates, a local policy will be available to enable local administrator account lockouts.”
Testing the features with Windows 11
Microsoft first introduced the change in late September, with the Insider Preview Build 25206, by making the SMB authentication rate limiter enabled by default. A couple of other settings have been tweaked to make these attacks “less effective”, as well.
“The SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication,” Ned Pyle, Principal Program Manager in the Microsoft Windows Server engineering group, said at the time.
“This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum.”
In other words, by toggling the feature on, there is a delay between each unsuccessful NTLM authentication attempt, making the SMB server service more resilient to brute-force attacks.
To turn the feature on, IT admins should search Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies for the “Allow Administrator account lockout” policy.
Together with this change, Microsoft also altered how all local admin passwords are set up, requiring at least three of the four basic character types – lower case, upper case, numbers, and symbols.
Source: Windows update could help defend against an all-too-common cyberattack | TechRadar