Microsoft releases protection against brute-force attacks on admin accounts

Microsoft is introducing an option to protect administrator accounts from brute-force attacks with login attempt restrictions. The new option is part of the October Update for Windows 11.

So far, it is possible to make an infinite number of login attempts to a local admin account with a brute-force attack, which Microsoft with update KB5020282 want to avoid. With a new policy, admin accounts can also be temporarily ‘locked’ from now on, so that login attempts are no longer possible. This can be done under the Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies setting.

Microsoft says about the new Account Lockout Policies: “We recommend setting ’10/10/10′. This means that accounts will be locked after ten failed login attempts within ten minutes. The measure lasts for ten minutes, after which the account will be unlocked automatically.” Administrators are free to adjust the parameters of the brute-force protection, for example by disabling the automatic unblocking of an admin account or by further limiting the number of login attempts.

New systems running Windows 11 or PCs eligible for the October 11, 2022 Cumulative Update will have the 10/10/10 ratio as the default. For all other systems, the above steps must be followed to enable the policy. The feature has been available for all other types of accounts on a Windows system for some time, but local administrators have not been covered so far.