Thursday, April 18, 2024

Windows 11 Account lockout policy is enabled by default to block brute force attacks

Starting with Windows 11 Insider Preview build 22528.1000 the OS supports an account lockout policy enabled by default to block brute force attacks. The lockout policy was set to limit the number of failed sign-in attempts to 10, for 10 minutes.

“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome.” announced David Weston, Microsoft vice president for enterprise and OS security.

The Account lockout threshold policy allows setting the number of failed sign-in attempts that will cause a user account to be locked. Once the account has been locked, it cannot be used until the admin reset it or until the number of minutes specified by the Account lockout duration policy setting expires.

The lockout policy is supported by Windows 10 and some Windows Server builds but must be configured.

Creating an Account Lockout Policy will protect your account by limiting the number of times a remote application or attacker can try to guess your password.  This works by automatically locking out your account after a designated number of incorrect passwords were entered. Your account will remain locked out for a designated period of time before it is automatically unlocked and it can be logged into again.  This provides a valuable addition to your account security because it can render brute force password attacks useless. 

Recommended:  Cybersecurity of WordPress Platforms. An Analysis Using Attack-Defense Trees Method

If you have your lockout threshold set to 4 bad attempts and the lockout duration to 15 minutes, an attacker can try to guess your password a maximum of 16 times per hour. 

How to setup lockout policy (win 7 – 11)

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> “Account lockout duration” to “0” minutes, “Account is locked out until administrator unlocks it”.

  1. Click on the Start Button and key in Secpol.msc and hit Enter.
  2. Navigate through Account Policies and Account Lockout Policy.
  3. Right-click on the Account lockout threshold and select Properties.
  4. Enter in the value you want to use and hit OK to save. I like to use 4 here. 
  5. Windows will set the default values for the lockout duration and Reset account lockout counter values.  If you want to change these values from the defaults (30 minutes), right-click on them and select Properties. After making your changes hit OK to save and exit.  

Alternatively, fire-up an elevated PowerShell session:

View policy by typing

net accounts

If you need to set the lockout threshold use this command (elevated privileges req):

 net accounts /lockoutthreshold:10

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Recommended:  What is the difference between Cybersecurity & Information Security
Please login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates