Brute force vs. local admins

Topic

New Reply

ON SECURITY By Susan Bradley Microsoft recently added new protections to ensure that ransomware operators can’t use a brute-force attack to discover t
[See the full post at: Brute force vs. local admins]

Susan Bradley Patch Lady

6 users thanked author for this post.

Norio, lmacri, oldfry, geekdom, rc primak, Fred

Reply | Quote

Replies

Not a fan of lockouts, but this seems to be one of the better implementations.

-- rc primak

Reply | Quote

I am increasingly concerned that personal computer management will be beyond the grasp of the average computer user. How many times will a computer technician be called to reset a password to allow computer access?

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote

I know of only two instances when the Local Administrator account is actually needed (there are tools that can be used to workaround those), and I doubt if anyone here will ever encounter those instances.  There is no good reason for the Local Administrator account to be enabled, and the account lockout applies only to the Local Administrator account, not to the Administrators group.

I have an account in the Administrators group that satisfies UAC, and I run routinely using only a Standard user account.  In my experience, the Administrator lockout is of little use.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

Susan Bradley wrote:

As described in “Account lockout available for Local Administrators” (KB5020282), the capability is available for almost all versions of Windows dating back to Windows 7 and Server 2008.

The title of that KB has been amended recently to include “built-in” before “local administrators”.

The paragraph about password complexity also now has the added “built-in”, which was not included when I copied it 12 days ago (or when you copied it for this article):

b wrote:

Additionally, we are now enforcing password complexity on new machines if a local administrator account is used. The password must have at least three of the four basic character types (lower case, upper case, numbers, and symbols).

https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00#:~:text=Additionally%2C%20we%20are,Password%20Policy.

Susan Bradley wrote:

Again, I was able to set up a username with a blank password.

I don’t understand what Microsoft means when it states that password complexity will be mandated.

Unless you enabled the built-in administrator account, I don’t think you were testing the new requirement.

Susan Bradley wrote:

If you are a home or consumer user, and especially if you have not enabled RDP, I don’t recommend doing anything with this policy. Instead, I suggest any or all of the following:
…
Do not set a password for your Local Administrator account.

If RDP is not enabled, what’s the advantage of a blank admin password?

A blank admin password sounds quite reckless to me, considering kids or keyloggers at home and easy data access if a computer is lost or stolen. And it conflicts with your recommendation for strong passwords in the next sentence:

Susan Bradley wrote:

A lock isn’t an option for mobile devices, so strong passwords or biometrics are currently the best options.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

1 user thanked author for this post.

rc primak

Reply | Quote