Windows 11 is getting a new security setting to block ransomware attacks
Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials.
The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet.
RDP remains the top method for initial access in ransomware deployments, with groups specializing in compromising RDP endpoints and selling them to others for access.
SEE: Ransomware: Why it's still a big threat, and where the gangs are going next
The new feature is rolling out to Windows 11 in a recent Insider test build, but the feature is also being backported to Windows 10 desktop and server, according to Dave Weston, vice president of OS Security and Enterprise at Microsoft.
"Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome!," Weston tweeted.
Weston emphasized "default" because the policy is already an option in Windows 10 but isn't enabled by default.
That's big news and is a parallel to Microsoft's default block on internet macros in Office on Windows devices, which is also a major avenue for malware attacks on Windows systems through email attachments and links.
Microsoft paused the default internet macro block this month but will re-release the default macro block soon. The default block on untrusted macros is a powerful control against a technique that relied on end users being tricked into clicking an option to enable macros (which are disabled by default), despite warnings in Office against doing so.
The new account lockdown control was applauded by one cybersecurity expert.
SEE: What, exactly, is cybersecurity? And why does it matter?
"oh my god, they're doing the RDP entry issue – between macros and RDP this makes almost all Windows/MS ransomware entry," wrote UK security pro, Kevin Beaumont.
"Assuming it's in a monthly security patch (wide distro) this will solve one of the major ransomware entry points (source: my team deal with 5k security incidents a year)," he added.
The defaults will be visible in the Windows Local Computer Policy directory "Account Lockout Policy". The default "account lockout duration" is 10 minutes; the "account lockout threshold" is set to a maximum of 10 invalid logon attempts; a setting to "allow administrator account lockout" is enabled; and the "reset account lockout counter after" setting is set to 10 minutes.
@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022
Beyond ransomware attacks, the Windows 11 security control should put a dent in the broader issue of brute-force password attacks, such as credential stuffing, that are very effective when multi-factor authentication (MFA) hasn't been enabled for an account. As Beaumont noted recently, MFA isn't built into RDP and its authentication is easy to brute force .
Microsoft hasn't said how it will roll out the new security control to mainstream Windows 11 and Windows 10, but it could likely arrive in a future security update.
According to Weston, the control should be available in the Windows 11 Insider preview build 22528.1000 and upwards.
Microsoft's has been trying to raise the general baseline of security for Windows customers. In May, it started rolling out "security defaults" to millions of customers using Azure Active Directory. The defaults ensure customers have MFA enabled when necessary, based on the user's location, device, role, and task.