• Brute force vs. local admins

    Home » Forums » Newsletter and Homepage topics » Brute force vs. local admins

    Author
    Topic
    Viewing 3 reply threads
    Author
    Replies
    • #2491501

      Not a fan of lockouts, but this seems to be one of the better implementations.

      -- rc primak

    • #2491531

      I am increasingly concerned that personal computer management will be beyond the grasp of the average computer user. How many times will a computer technician be called to reset a password to allow computer access?

      Carpe Diem {with backup and coffee}
      offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
      offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
      online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender
    • #2491536

      I know of only two instances when the Local Administrator account is actually needed (there are tools that can be used to workaround those), and I doubt if anyone here will ever encounter those instances.  There is no good reason for the Local Administrator account to be enabled, and the account lockout applies only to the Local Administrator account, not to the Administrators group.

      I have an account in the Administrators group that satisfies UAC, and I run routinely using only a Standard user account.  In my experience, the Administrator lockout is of little use.

      Always create a fresh drive image before making system changes/Windows updates; you may need to start over!
      We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

    • #2491561

      As described in “Account lockout available for Local Administrators” (KB5020282), the capability is available for almost all versions of Windows dating back to Windows 7 and Server 2008.

      The title of that KB has been amended recently to include “built-in” before “local administrators”.

      The paragraph about password complexity also now has the added “built-in”, which was not included when I copied it 12 days ago (or when you copied it for this article):

      Additionally, we are now enforcing password complexity on new machines if a local administrator account is used. The password must have at least three of the four basic character types (lower case, upper case, numbers, and symbols).

      https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00#:~:text=Additionally%2C%20we%20are,Password%20Policy.

      Again, I was able to set up a username with a blank password.

      I don’t understand what Microsoft means when it states that password complexity will be mandated.

      Unless you enabled the built-in administrator account, I don’t think you were testing the new requirement.

      If you are a home or consumer user, and especially if you have not enabled RDP, I don’t recommend doing anything with this policy. Instead, I suggest any or all of the following:

      Do not set a password for your Local Administrator account.

      If RDP is not enabled, what’s the advantage of a blank admin password?

      A blank admin password sounds quite reckless to me, considering kids or keyloggers at home and easy data access if a computer is lost or stolen. And it conflicts with your recommendation for strong passwords in the next sentence:

      A lock isn’t an option for mobile devices, so strong passwords or biometrics are currently the best options.

      Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

      1 user thanked author for this post.
    Viewing 3 reply threads
    Reply To: Brute force vs. local admins

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: