Windows enables default account lockout policy for RDP (Remote Desktop Protocol) to reduce ransomware attacks based on brute forcing RDP

Microsoft has chosen to add specific security measures against brute force attacks against RDP (Remote Desktop Protocol). These security improvements have been introduced in the most recent builds of Windows 11. Given the evolution of this type of attack abusing RDP, Microsoft decided to add the security measure in the latest Insider Preview22528.1000. This system automatically locks accounts for 10 minutes after 10 invalid login attempts. The news was broken by David Weston (VP of OS & Enterprise Security) on Twitter last week.

These kinds of attacks against RDP are quite common in human operated ransomware. With this relatively simple measure, it is possible to complicate brute force attacks, being quite effective in discouraging them. However, it was already possible to activate this measure in Windows 10, so the novelty is really enabling it by default.

On the other hand, it is expected that, as happened with the blocking of VBA macros for Office documents, it will also be implemented for previous versions of Windows and Windows Server. Aside from malicious macros, brute force RDP access has long been one of the most popular methods used in cyberattacks. This strategy was successful in gaining initial unauthorized access to Windows systems. Among other ransomware, LockBit, Conti, Hive, PYSA, Crysis, SamSam, and Dharma are known to rely on these types of attacks to gain initial access to victims’ computers.

Effects of the security measure

Microsoft hopes with this measure to significantly reduce the number of intrusions in those computers that use its operating system. In this way, those cyberattacks based on obtaining passwords by brute force against RDP (especially against weak passwords) would be prevented. In addition, cybercriminals gain access to victim systems using this methodology to later sell the credentials on the Dark Web.

However, Microsoft warns that this protection measure could be exploited by cybercriminal groups to orchestrate a denial of service (DoS) attack. To do this, it would be enough to launch brute force attacks in parallel to all the accounts of the organization against the RDP in intervals of ten minutes to block them all for the duration of the attack.