Finally! Windows to Block Password Guessing — by Default

Brute-force guessing of Windows credentials is a common entry point for ransomware scrotes and other hackers. After almost 30 years, Microsoft is finally fixing the dumb default that allows criminals to try to log in again and again and again.

David Weston, VP of OS security and enterprise at Microsoft (pictured) seems happy to announce the news. It’s in Windows 11 public test builds now, and will appear in released Windows 10 and 11 “soon.”

It’s about time. But why are IT departments still exposing the Remote Desktop Protocol service to the internet? In today’s SB Blogwatch, we fear security theater.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Scary Dreams.

PSA: Keep RDP off the Net

What’s the craic? Sergiu Gatlan reports—“Windows 11 now blocks RDP brute-force attacks by default”:

“Leading to ransomware attacks”
Recent Windows 11 builds come with the Account Lockout Policy policy enabled by default which will automatically lock user accounts (including Administrator accounts)?…?for 10 minutes?…?after 10 failed sign-in attempts. … The account brute forcing process commonly requires guessing the passwords using automated tools. This tactic is now blocked by default.
…
Brute forcing credentials is a popular tactic among threat actors to breach Windows systems via Remote Desktop Protocol (RDP) when they don’t know the account passwords. … The FBI said RDP is responsible for roughly 70-80% of all network breaches leading to ransomware attacks.

Windows 11? What about the vast majority of Windows users? Liam Tung has good news—“Microsoft releases a new default policy?…?which is also heading to Windows 10”:

“Account Lockout Policy”
The new feature is rolling out to Windows 11 in a recent Insider test build, but the feature is also being backported to Windows 10 desktop and server. … That’s big news:?…?The policy is already an option in Windows 10 but isn’t enabled by default. … It could likely arrive in a future security update.
…
The defaults will be visible in the Windows Local Computer Policy directory “Account Lockout Policy”

What took them so long? Jeff Burt damns with faint praise—“RDP brute-forcing”:

“Huge list of passphrases”
Criminals have been using [it] for years to muscle their way into systems, steal data, and spread malicious code. [The] default account lockout policy?…?should be able to at least slow down would-be intruders.
…
In brute-force attacks, cybercriminals use automated tools to guess someone’s account password: The tools run through a huge list of passphrases until one of them works and logs into a victim’s account.

Well, quite. imglorp agrees:

Wait, RDP has been around since the last century and they’re just now adding this? What a signal.

As does splutty:

It’s also nice to see Microsoft implement a feature that’s been in use on any serious OS for the last 40 years. And yeah, exposing your RDP service directly to “The Internet” is utterly brain dead.

Or, at least, brain damaged. u/Legalize-It-Ags isn’t impressed:

You know what else blocks RDP brute-force attacks by default? Closing port 3389.

If you can’t close it, you could change it. LinuxBender adds a 3:

There are a lot of attempts to brute force 3389 RDP and 5900 VNC, I see them on all my nodes’ tarpit rules. [But] people should not depend on this blocking as the 10 minute account lockouts will only stop targeted attacks and not all the bots. … The better written bots?…?distribute their attempts across many targets reducing the probability of a lockout.
…
Windows machines should be behind a VPN or at least a firewall. … Another option that will take away the non-targeted bots?…?is to change the listening port for RDP. This is security through obscurity and works like a charm when putting nodes behind a VPN is just not possible—e.g., change 3389 to?…?33389. This will not stop a determined attacker but will most certainly cut out 99+% of the bots?…?and reduce risk of alert fatigue. This will also keep the non-targeted bots from locking out your accounts and creating support headaches.

But the policy won’t work. So says Bert64:

Account lockouts are stupid. The?…?feature has always been there, and it’s a useless bit of security theatre.
…
An external attacker usually doesn’t know what accounts you have aside from the default “administrator.” … Instead they will iterate through usernames instead of passwords, looking for accounts with some of the top 10 most common passwords. The account lockout function will not do anything about this because you’re not trying 10 logins to the same account.
…
[And] if an attacker does know your usernames then he can intentionally lock your accounts repeatedly to cause disruption. … Now you’re not allowed to log in because some bot halfway around the world can’t guess your password.

Meanwhile, Nifty can’t quite believe we’re still fighting brute-force credential guessing:

Isn’t there already 2FA for that?

And Finally:

Ryan and Jack return to form with a bang

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.