Menu

Blog

Jul 26, 2022

Windows enables default account lockout policy for RDP (Remote Desktop Protocol) to reduce ransomware attacks based on brute forcing RDP

Posted by in categories: cybercrime/malcode, policy

Microsoft has chosen to add specific security measures against brute force attacks against RDP (Remote Desktop Protocol). These security improvements have been introduced in the most recent builds of Windows 11. Given the evolution of this type of attack abusing RDP, Microsoft decided to add the security measure in the latest Insider Preview22528.1000. This system automatically locks accounts for 10 minutes after 10 invalid login attempts. The news was broken by David Weston (VP of OS & Enterprise Security) on Twitter last week.

These kinds of attacks against RDP are quite common in human operated ransomware. With this relatively simple measure, it is possible to complicate brute force attacks, being quite effective in discouraging them. However, it was already possible to activate this measure in Windows 10, so the novelty is really enabling it by default.

On the other hand, it is expected that, as happened with the blocking of VBA macros for Office documents, it will also be implemented for previous versions of Windows and Windows Server. Aside from malicious macros, brute force RDP access has long been one of the most popular methods used in cyberattacks. This strategy was successful in gaining initial unauthorized access to Windows systems. Among other ransomware, LockBit, Conti, Hive, PYSA, Crysis, SamSam, and Dharma are known to rely on these types of attacks to gain initial access to victims’ computers.

Leave a reply