Microsoft has rolled out a new capability to all supported versions of Windows that will make it harder for hackers to carry out brute-force password-guessing attacks against local admin accounts.
The new feature means that Windows devices can now lock out local admins – something that Windows devices haven't been allowed to do until yesterday's Patch Tuesday updates introduced a new set of admin account lockout policies.
When local admin accounts can't be locked out of Windows device, attackers can hit the account with an unlimited number of attempts to guess the right password. Attackers can often quickly guess ones that are simple and short.
"Beginning with the October 11, 2022 or later Windows cumulative updates, a local policy will be available to enable local administrator account lockouts. This policy can be found under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies,"Microsoft explains in a support note for KB5020282 as spotted by Bleeping Computer.
The account lockout policy has four settings: Reset account lockout counter after; All Administrator account lockout; Account lockout threshold; and Account lockout duration. Microsoft's baseline recommends organisations should enable the admin account lockout, and set the other three to 10/10/10, meaning the account will be locked out after 10 failed attempts within 10 minutes and that the lockout lasts 10 minutes. After that, the account is automatically unlocked.
This is the default state for Windows 11, version 22H2, as well as cleanly installed machines that include the October 11, 2022 Windows cumulative updates before set up. Microsoft notes that a machine that was set up and then had the October updates installed later would not be secure by default and would need the policy settings explicitly added. Admins can also apply the disabled setting for 'allow administrator account lockout'.
Also, on on new machines where a local administrator account is used, Microsoft now enforces password complexity, requiring the password have "at least three of the four basic character types (lowercase, uppercase, numbers, and symbols)."
A Microsoft program manager for Active Directory also pointed out Microsoft's Patch Tuesday has restricted computer account re-use via domain join if the domain joiner does not have the appropriate rights to the account. It's another element of Microsoft's Windows 'secure by default' effort and relates to an Active Directory elevation of privilege flaw – CVE-2022-38042 – addressed in the October 11 update, with hardening changes for domain join.