Microsoft is enabling account lockout by default – that’s good news for security

Qasim Armstrong, CREST Registered Penetration Tester at Reliance acsn, discusses Microsoft’s introduction of account lockout and what it means for security.

The latest build of Windows 11, 22H2, comes with an Account Lockout Policy enabled by default. This means that the OS will automatically lock out user accounts, including administrator accounts, for ten minutes following ten failed login attempts.

This feature is designed to defend against brute-forcing attacks, where an attacker enters many possible passwords with the hope of identifying the correct one. If an attacker can gain access to the user’s login in this way, they will have access to the entire machine with potentially devastating security consequences.

Unfortunately, Windows 11 is currently installed on under a quarter of all Windows machines – and this latest build on an even smaller number still – so while this step is an improvement, it will be some time before it trickles down to a majority of Windows users.

That said, it’s possible that this announcement will raise awareness of the feature and encourage more administrators to enable it. Doing so is straightforward, and administrators can enable the feature from the Group Policy Management Console.

The lockout policy will also apply to Remote Desktop Protocol (RDP), which is good news since an estimated 47% of ransomware attacks are preceded by RDP compromise. When combined with other common-sense security features, lockout is a key tool for reducing the attack surface available to malicious actors.

If you would like to know more about the account lockout function, get in touch today and one of our experts would be happy to discuss.