Default account lockout policies in Windows 11
Windows 11 is the newest and generally most secure operating system in the Windows family. In the newest iteration of Windows, there are default account lockout policies that exist to mitigate RDP and other brute force password vectors.
Brute force password attacks can be automated to try millions of password combinations against any or all user accounts to find one that works. Without account lockout policies, this type of attack can proceed indefinitely until the right password is eventually found. With a working Windows 11 default lockout policy, only ten invalid password attempts result in the inability of an attacker to continue until the counter resets. This drastically slows down an attacker.
Pre-configured default lockout policies start in clean installs of Windows 11 Build 22528.1000. The default policies are planned to be backported to Windows 10 and Windows Servers as well. The default lockout policy is now the following:
- Account lockout duration: 10 Minutes
- Account lockout threshold: 10 invalid attempts
- Allow Administrator account lockout: Yes (built-in Administrator account)
- Reset Account lockout counter after: 10 Minutes
The default policies only apply to clean installs. The new Group Policy (local or domain) settings are not retroactively applied to existing systems. Most systems, therefore, won’t take advantage of the new settings. This moves the onus of the change to system administrators. Understandably, Microsoft does not want to clobber existing settings or make a potentially problematic change without an organization’s consent.
What about stolen credentials?
Attackers often take the path of least resistance. The brute force approach requires trial and error, but with stolen valid credentials, an attacker doesn’t need to spend time finding a crack in an organization’s defenses. Instead they simply log in as a normal user or administrator to launch the attack from within.
Many existing and newly created password lists contain reams of stolen credentials—and one of those lists may include credentials from someone in your organization. All it takes is an attacker spending a relatively small amount of money to retrieve those credentials and then launch a low-risk, high-reward ransomware attack.
Protect against stolen credentials with Specops Password Policy
Although lockout policies are important, these settings do not protect against a purchased password list containing valid credentials. Therefore, you need an up-to-date breached/stolen password list to have credentials actively checked against. Specops Password Policy ups the ante and greatly enhances not only the potential strength of your account passwords but offers the ability for both real-time and periodic account password scans against a breached password list.
With the Breached Password List functionality, you can scan your accounts against a regularly updated list of over 4 billion breached passwords. You can even instantly inform users upon password change why their password isn’t compliant.
Specops Password Policy offers much more than breached password protections, you can also:
- Use custom dictionary lists to disallow words common to your organization.
- Block usernames, display names, specific words, consecutive characters, incremental passwords, and the reuse of a part of the current password.
- Take advantage of granular GPO-driven targeting for any organizational unit (OU), computer, user, or group population.
- Use Regular Expressions to customize requirements further.
- Use helpful end-user client messaging at failed password changes.
For more information, check out Impact of running Specops Password Policy on Active Directory.
Protect your organization and your users today with a free trial of Specops Password Policy.
(Last updated on November 29, 2022)