Brute force attacks are one of the top three ways that Windows computers are attacked today. These attacks involve malicious actors trying to guess user passwords by repeatedly trying different password combinations. If successful, the attacker gains access to the compromised account and can further penetrate the system.
Windows devices have traditionally been vulnerable to brute force attacks against local administrator accounts. This is because Windows did not allow built-in local Administrator accounts to be locked out, no matter how many failed login attempts occurred. Attackers could essentially launch an unlimited number of password guesses over the network against the administrator account.
However, Microsoft has introduced new security capabilities in recent Windows versions to counter brute force password attacks against local administrator accounts. By properly configuring new Group Policy settings, you can now lockout local admin accounts after a specified number of failed login attempts. This significantly raises the bar for attackers trying to breach systems via brute forcing credentials.
In this tutorial post, we will see what is a Brute Force attack, how Microsoft addressed this problem, what Group Policies setting that protects a Windows PC from Brute Force Attacks, how to enable Administrator Account Lockout Policies, and ultimately, how you can protect your Windows PC from Brute Force Attacks using Group Policies.
What is Brute Force Attack and It’s Implications on Windows Local and Domain Accounts?
A brute force attack is a password-cracking method that tries all possible password combinations until the correct password is found. The attacker tries every possible alpha-numeric and special character combination to gain access to a system.
Brute force attacks are carried out both manually and using automated password-cracking tools and scripts. Automated attacks are especially powerful when leveraging the processing power of modern GPUs. An unlimited brute force attack can crack most passwords in just hours or days.
The implication of a successful brute force attack on a Windows computer is complete compromise of the breached account. If an attacker can brute force guess the password of a local admin account, they gain full control of the system. Brute forced domain admin credentials can give an attacker broad access to domain resources.
Once valid credentials are obtained, attackers often use them in follow-on lateral movement and privilege escalation. The initial brute forced account provides the foothold into the environment. Attackers then try to expand access and move towards high-value targets.
Beyond standard passwords, attackers are also having increasing success brute forcing other authentication mechanisms like SSH keys, NTLM hashes, and Kerberos tickets. So brute force risks extend beyond just guessing login passwords.
How Microsoft Addressed this Problem Through its Group Policies?
Previously, Windows did not apply account lockout policies to local administrator accounts. So there was no limit to the number of failed password guesses an attacker could make against these accounts when attempting remote access.
To counter the brute force threat against local Windows administrator accounts, Microsoft has introduced new security policies that allow these accounts to be locked out if there are too many invalid login attempt
New Lockout Policies for Local Admin Accounts
In Windows 10 and Windows 11, Microsoft has added new settings under Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policies that allow local administrator accounts to be locked out.
The following lockout policies can now be configured:
- Account lockout threshold – Specifies the number of invalid login attempts that will cause a user account to be locked out. For example, setting this to 10 will lock out an account after 10 failed login attempts.
- Account lockout duration – Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. This resets the failed login counter to 0.
- Reset account lockout counter after – Specifies the number of minutes that must elapse after a failed login attempt before the failed login counter is reset to 0. This only applies if the account is not locked out.
By enabling these new account lockout policies for local administrators, Windows machines gain enhanced brute force protection. Attackers can no longer indefinitely keep trying to guess admin passwords remotely.
Default Security Improvements
Microsoft has also improved the default out-of-the-box security posture for local administrator accounts in the latest Windows 11 and Windows Server 2022 versions:
- The account lockout policies are now enabled by default during the initial operating system setup.
- Password complexity requirements are also now enforced by default on local administrator accounts on new Windows 11 and Windows Server 2022 installations.
These changes significantly strengthen default brute force protections for fresh installations. However, customers with existing systems will need to manually configure the account lockout policies to gain increased protection.
How to Enable Administrator Account Lockout Policies?
The administrator account lockout policies are not enabled by default on earlier Windows client and server versions prior to Windows 11/Windows Server 2022. To gain enhanced brute force protection, you need to manually enable the lockout policies via Group Policy. Let’s see how to enable administrator account lockout policies in both ‘Windows domain environment’ and ‘Local Windows computer’.
How to Enable Administrator Account Lockout Policies in a Windows domain environment?
Here are step-by-step instructions to enable administrator account lockout in your Windows domain environment:
- On your Windows domain controller, launch the Group Policy Management Console (GPMC).
- Right-click the Group Policy Object (GPO) you wish to configure and click Edit.
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
- Double-click on the Account lockout threshold and set to the desired number of failed logon attempts to lockout accounts. For example, set to 10 invalid logon attempts.
- Double-click on Account lockout duration and set to the desired lockout period in minutes once the account lockout threshold is reached. For example, set to 10 minutes.
- Double-click on Reset account lockout counter after and set to the desired time period that must elapse before the failed logon counter is reset to 0. For example, set to 10 minutes.
- Click OK to apply your lockout policy settings.
- Link the GPO to your Organizational Unit (OU) containing the Windows computers you want to protect from brute force attacks.
After the Group Policy is applied, local administrator accounts on your Windows machines will lock out for 10 minutes after 10 failed login attempts within a 10 minute period. This thwarts brute force guessing of admin account passwords.
You can adjust the lockout threshold, duration and reset values as desired for your environment. Just be sure to link the GPO containing the account lockout settings to your target OUs.
How to Enable Administrator Account Lockout Policies in a Local Windows Computer?
This how-to guide explains how to enable administrator account lockout policies to protect a local Windows computer from brute force password attacks.
- Administrative access to the local Windows computer
- Supported Windows 10 or Windows 11 operating systems
Time needed: 5 minutes
Step-by-step procedure to Enable Administrator Account Lockout Policies in a Local Windows Computer.
- Launch Local Group Policy Editor
1. Press Windows key + R to open the Run dialog box.
gpedit.mscand click OK to launch the Local Group Policy Editor.
- Navigate to Account Lockout Policy
2. Click on
Account Lockout Policy.
- Configure Account Lockout Threshold
Double click on
Account lockout thresholdand set it to the desired invalid logon attempts before the lockout. For example, set it to 10 attempts.
- Configure Account Lockout Duration
1. Double-click on Account lockout duration and set it to the desired lockout duration in minutes once the threshold is reached. For example, set it to 10 minutes.
- Configure Reset Account Lockout Counter
Double click on
Reset account lockout counter afterand set it to the desired time period before failed logon counter resets to 0. For example, set it to 10 minutes.
- Enable Allow Administrator Account Lockout
Double click on
Allow administrator account lockoutand set it to Enabled.
- Apply the New Policy
Close the Local Group Policy Editor. The account lockout policy changes take effect immediately.
This covers the key steps to enable administrator account lockout policies on a local Windows computer to protect against brute force attacks. The lockout threshold, duration, and reset time can be adjusted as desired.
Windows Editions That Support Account Lockout Policies
The account lockout policy security settings are supported on the following Windows client and server editions:
- Windows 11 Pro and Enterprise
- Windows 10 Pro, Enterprise, Education
- Windows Server 2022 and 2019
- Older Windows Pro and Enterprise versions still in support
The administrator account lockout policies are enabled by default on new installations of:
- Windows 11 version 22H2
- Windows Server 2022
- Windows 10/Windows Server 2019 with Oct 2022 or later cumulative updates applied during initial setup
For existing Windows deployments, the account lockout policies must be manually configured via Group Policy as outlined above. This includes older Windows 10/Windows Server 2019 systems without the Oct 2022+ cumulative updates rolled out.
So all supported Windows versions can utilize account lockout policies to deter brute force attacks. But only the very latest OS releases have brute force protections enabled out-of-the-box for new installations.
Left unprotected, Windows administrator accounts are prime targets for brute force password attacks. By leveraging new account lockout policy capabilities in Windows, organizations can significantly improve security against brute force credential guessing.
For maximum protection, the account lockout policies should be configured via Group Policy on all compatible Windows versions. The optimal balance of security versus usability will determine the ideal failed attempt thresholds and lockout periods for a given environment.
Combining account lockouts with long, complex admin account passwords makes brute forcing Windows systems extremely difficult. Attackers are blocked after just a few failed logon attempts. Account lockout policies greatly raise the bar for successfully guessing passwords via brute force.
We hope this post helps you learn what is a Brute Force attack, how Microsoft addressed this problem, what Group Policies setting that protects a Windows PC from Brute Force Attacks, how to enable Administrator Account Lockout Policies, and ultimately, how you can protect your Windows PC from Brute Force Attacks using Group Policies.