It wasn't so long ago that we were wondering what improvements Windows 11 would make in the security stakes. Well, we haven't had to wait too long to find out.
Windows 11 build 22528.1000 and up will tackle one of the more common entry points for network intruders. Namely, trying to prevent the brute forcing of Remote Desktop Protocol (RDP) by adding a default RDP lockout policy:
Being able to access a computer remotely is a proverbial killer app for business. Unfortunately, this comes with several dangers if not configured correctly. Microsoft's latest changes are designed to address these threats head on.
RDP: a hot target for network intrusion
RDP attacks are a prime tool for ransomware operators. Brute forcing a way into vulnerable machines is often the first step to total network compromise and data exfiltration. Microsoft's own research in this realm is particularly illuminating with regard to giving a flavour of scale:
We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.
The research goes on to say:
Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days.
To summarise: RDP attacks are not uncommon, and it's important to be able to tell the difference between genuine failed sign-ins and actual brute forcing. In situations where brute forcing is taking place with few to zero security precautions for an organisation's RDP setup, this can be fatal in giving attackers one foot in the door.
Microsoft battens down the hatches
Our own research shows how rate limiting the number of password attempts can hinder attackers enough that they leave empty-handed:
In our test, attackers were shut out for five minutes if they entered five incorrect passwords within the space of five minutes. Our attackers were persistent over several days and received, on average, about 150 bans per day.
To trigger 150 bans per day, our attackers must have made 750 incorrect guesses and incurred 750 minutes of bans, leaving them 690 minutes of the day in which to guess passwords. 750 guesses in 690 minutes gives us a guessing rate of about one password every 55 seconds, or about 1,500 guesses per day.
At that guessing rate, rate limiting reduced the number of daily password attempts from 1500 to 750, halving the effectiveness of the attack and doubling the time a security team would have to react.
What Microsoft is doing is setting the lockout to 10 failed attempts in 10 minutes. Some consideration has been given to the fact that not everyone is going to be running Windows 11, and older versions exist that could do with some lockout love. Ask and you shall receive, because these changes are also being applied to older versions of Windows:
Microsoft recently reversed a decision to undo the blocking of VBA Macros after uproar among Office users. Hopefully the people making security decisions will continue to clamp down on potential weak spots and easy routes to success for network intruders and malware authors. RDP is the opening salvo of choice for many intrusion attempts, and making these lockouts the default can only be a good thing.