Although when talking about attacks on Windows the focus is usually on phishing, ransomware, etc., brute force based attacks are still a very common techniqueand that in the right circumstances can be tremendously effective, to the misfortune of the users who are victims of the attacks in which it is used.
Even if you don’t know the nature of this technique, surely with its name alone you can already get a fairly accurate idea of what it consists of, and you won’t be wrong. Brute force is try, sequentially, passwords and more passwords until, if the attacker is lucky, find the right one. It can be carried out without further ado or by relying on so-called dictionaries, which are nothing more than huge databases with keys, or patterns for them, which are usually used when creating passwords.
Brute force attacks are, of course, automated, the software trying to figure out the password concatenates each test with the next as fast as the attacked system allows. In other words, we are not talking about a person manually typing each possible password, but about developments capable of testing thousands of potential keys per minute.
Sometimes, moreover, dictionaries can be combined with knowledge of the victimall the knowledge that is known about it (from the date of birth to the name of your pet) can be taken into account when creating a list of possible passwords to then start the attack.
Windows, in all its flavors, is one of the usual victims of brute force attacks, but it seems that Microsoft has had enough of this circumstance and, as we can see in this tweet From David Weston, vice president of enterprise and operating system security at the company, Microsoft has begun adding a default account policy in Windows 11 to thereby substantially mitigate the risks of brute force attacks.
This new policy, which will also come to Windows 10 (although in this case it will not be activated by default), will allow you to set a maximum of failed attempts due to wrong password and, when reached, the possibility of retesting will be blocked for the period that we determine. By default it will be 10 attempts and, after them, 10 minutes of blocking. So, with that default setting, we’re reducing the maximum number of tests that can be run in an attack to just 60 per hour, when under other circumstances the number is infinitely higher.
@windowsinsider Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks – this control will make brute forcing much harder which is awesome! pic.twitter.com/ZluT1cQQh0
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 20, 2022