Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials.
The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet.
"Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome!," Weston tweeted.
That's big news and is a parallel to Microsoft's default block on internet macros in Office on Windows devices, which is also a major avenue for malware attacks on Windows systems through email attachments and links.
Microsoft paused the default internet macro block this month but will re-release the default macro block soon. The default block on untrusted macros is a powerful control against a technique that relied on end users being tricked into clicking an option to enable macros (which are disabled by default), despite warnings in Office against doing so.
The new account lockdown control was applauded by one cybersecurity expert.
"Assuming it's in a monthly security patch (wide distro) this will solve one of the major ransomware entry points (source: my team deal with 5k security incidents a year)," he added.
The defaults will be visible in the Windows Local Computer Policy directory "Account Lockout Policy". The default "account lockout duration" is 10 minutes; the "account lockout threshold" is set to a maximum of 10 invalid logon attempts; a setting to "allow administrator account lockout" is enabled; and the "reset account lockout counter after" setting is set to 10 minutes.
Microsoft hasn't said how it will roll out the new security control to mainstream Windows 11 and Windows 10, but it could likely arrive in a future security update.
According to Weston, the control should be available in the Windows 11 Insider preview build 22528.1000 and upwards.
Microsoft's has been trying to raise the general baseline of security for Windows customers. In May, it started rolling out "security defaults" to millions of customers using Azure Active Directory. The defaults ensure customers have MFA enabled when necessary, based on the user's location, device, role, and task.