Account lockout policy in Windows 11 is enabled by default to block brute force attacks

Starting with Windows 11 Microsoft introduce by default an account lockout policy that can block brute force attacks.

Starting with Windows 11 Insider Preview build 22528.1000 the OS supports an account lockout policy enabled by default to block brute force attacks. The lockout policy was set to limit the number of failed sign-in attempts to 10, for 10 minutes.

“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome.” announced David Weston, Microsoft vice president for enterprise and OS security.

The Account lockout threshold policy allows setting the number of failed sign-in attempts that will cause a user account to be locked. Once the account has been locked, it cannot be used until the admin reset it or until the number of minutes specified by the Account lockout duration policy setting expires.

The lockout policy is supported by Windows 10 and some Windows Server builds.

A collateral effect is that threat actors can abuse this feature to launch denial-of-service (DoS) attacks, causing problems for the target organizations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Windows 11)

[adrotate banner=”5″]

[adrotate banner=”13″]