All Windows versions can now block admin brute-force attacks

Topic

New Reply

[Alex5723]

https://www.bleepingcomputer.com/news/microsoft/all-windows-versions-can-now-block-admin-brute-force-attacks/

Microsoft announced today that IT admins can now configure any Windows system still receiving security updates to automatically block brute force attacks targeting local administrator accounts via a group policy…

As a result, Windows 11 systems where the policy is toggled on automatically lock user accounts (including Administrator accounts) for 10 minutes after 10 failed sign-in attempts within 10 minutes…

Today, almost three months after Weston’s announcement, Microsoft revealed that the same account lockout policy is now available on any Windows system where the October 2022 cumulative updates are installed.

“In an effort to prevent further brute force attacks/attempts, we are implementing account lockouts for Administrator accounts,”..

This group policy will be enabled by default on all new machines running Windows 11 22H2 or those where the October 2022 Windows cumulative updates were installed before the initial setup when the Security Account Manager (SAM) database that stores the users’ passwords is first instantiated on the new machine…

• This topic was modified 8 months ago by Alex5723.

2 users thanked author for this post.

NaNoNyMouse, lmacri

Reply | Quote

Replies

Alex5723 wrote:

Microsoft announced today that IT admins can now configure any Windows system still receiving security updates to automatically block brute attacks targeting local administrator accounts via a group policy…

Above emphasis mine.

Whar about Windows 7 and 8.1?  They’re both still receiving security updates.

Are they privy to this new group policy or is Microsoft excluding both of them in the hopes this type of attack will obliterate them once and for all from their OS lineup so they finally won’t have to deal with them anymore?

Reply | Quote

Any appears to mean any:

Windows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU Windows 7 Enterprise ESU Windows 7 Professional ESU Windows 7 Ultimate ESU Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Embedded Standard 7 ESU Windows Embedded POSReady 7 ESU Windows Server 2012 Windows Embedded 8 Standard Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro Windows 10 Windows 10, version 1607, all editions Windows Server 2016, all editions Windows 10 Enterprise 2019 LTSC Windows 10 IoT Enterprise 2019 LTSC Windows 10 IoT Core 2019 LTSC Windows Server 2019 Windows 10 Enterprise Multi-Session, version 20H2 Windows 10 Enterprise and Education, version 20H2 Windows 10 IoT Enterprise, version 20H2 Windows 10 on Surface Hub Windows 10, version 21H1, all editions Windows 10, version 21H2, all editions Windows 11 version 21H2, all editions Windows 11 version 22H2, all editions Windows Server 2022 Less
…
KB5020282—Account lockout available for local administrators

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

2 users thanked author for this post.

7ProSP1, Alex5723

Reply | Quote

Additionally, we are now enforcing password complexity on new machines if a local administrator account is used. The password must have at least three of the four basic character types (lower case, upper case, numbers, and symbols).

https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00#:~:text=Additionally%2C%20we%20are,Password%20Policy.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

Alex5723 wrote:

This group policy will be enabled by default on all new machines running Windows 11 22H2 or those where the October 2022 Windows cumulative updates were installed before the initial setup when the Security Account Manager (SAM) database that stores the users’ passwords is first instantiated on the new machine…

I’ve highlighted one extremely important catch I noticed in this announcement!

So, exactly how does one go about creating a “new” Security Account Manager database for existing PC’s after they receive the Oct update that enables this Group Policy?

Reply | Quote

alejr wrote:

So, exactly how does one go about creating a “new” Security Account Manager database for existing PC’s after they receive the Oct update that enables this Group Policy?

You don’t. You just enable the group policy if it’s required.

Only the new default is not there unless it’s a new installation.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

You are probably going to have to remove/rebuild the older SAM database similar to other items where you may be protecting it going forward, but left over caches are still there.

Susan Bradley Patch Lady

Reply | Quote

Susan Bradley wrote:

You are probably going to have to remove/rebuild the older SAM database similar to other items where you may be protecting it going forward, but left over caches are still there.

Why would anyone need or want or to do that?

Destroy all accounts and passwords in order to obtain a lockout policy for local admins by default, instead of just setting that lockout policy?

So, if a new machine was set up and then had the October updates installed later, it will not be secure by default and will require the policy settings above.

https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

2 users thanked author for this post.

Microfix, alejr

Reply | Quote

@b, thanks for clarifying that part of the announcement was about having it default to being enabled vs actually being able to enable it after the update gets installed!

The original link/quote from beeping computer didn’t really make that apparent.

1 user thanked author for this post.

b

Reply | Quote

https://www.hackingarticles.in/credential-dumping-sam/

If there is a cache left behind, you may still be able to get credentials.  I haven’t tested this yet to see what impact it has.

 

Susan Bradley Patch Lady

Reply | Quote

This topic has nothing to do with anyone getting credentials from a cache. It’s about preventing brute force attacks.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

I was thinking this protected more than I thought it would. Brute force is just one method.   As a fyi if you enter a blank admin password it can’t be logged into from remote.

Susan Bradley Patch Lady

Reply | Quote

b wrote:

Any appears to mean any:

Windows 10 Pro October updates. Lockout Policy ‘Not Applicable’.

Reply | Quote

It’s a little weird that you have to set the Account lockout threshold first. I just set that to the recommended 10 and then the other three were automatically set to the recommended 10/Enabled/10 and became available for adjustment.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

Alex5723 wrote:

Windows 10 Pro October updates. Lockout Policy ‘Not Applicable’.

Hi Alex5723:

After installing my Oct 2022 Patch Tuesday updates I confirmed the account lockout policies on my Win 10 Pro v21H2 laptop are “Not Available” and look similar to the image you attached in post # 2487853.

———-
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.2130 * Firefox v105.0.3 * Microsoft Defender v4.18.2209.7-1.1.19700.3 * Malwarebytes Premium 4.5.15.215-1.0.1784 * Macrium Reflect Free v8.0.6979

1 user thanked author for this post.

Alex5723

Reply | Quote

lmacri wrote:

account lockout policies on my Win 10 Pro v21H2 laptop are “Not Available”

b wrote:

you have to set the Account lockout threshold first.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

1 user thanked author for this post.

Alex5723

Reply | Quote

Isn’t it ‘best practice’ to disable local admins?

Reply | Quote

Simon_Weel wrote:

Isn’t it ‘best practice’ to disable local admins?

Not necessarily. Some choose not to have a Microsoft account as administrator.

Edited to add: You were talking IT; I was talking individual. My answer has no bearing in this topic.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b3 MicrosoftDefender

Reply | Quote

Simon_Weel wrote:

Isn’t it ‘best practice’ to disable local admins?

“Local Computer Policy > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Allow Administrator account lockout” only applies to the built-in Administrator account, not the Administrators group.

I disable that account in Computer Management (Local) > Local Users and Groups > Users.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

Fred

Reply | Quote