RDP Brute-Force Attacks

Microsoft is now taking steps to prevent Remote Desktop Protocol (RDP) brute-force attacks as part of the latest builds for the Windows 11 operating system in an attempt to raise the security baseline to meet the evolving threat landscape.

To that end, the default policy for Windows 11 builds – particularly, Insider Preview builds 22528.1000 and newer – will automatically lock accounts for 10 minutes after 10 invalid sign-in attempts.

“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute-force password vectors,” David Weston, Microsoft’s vice president for OS security and enterprise, said in a series of tweets last week. “This technique is very commonly used in Human Operated Ransomware and other attacks — this control will make brute forcing much harder which is awesome!”

It’s worth pointing out that while this account lockout setting is already incorporated in Windows 10, it’s not enabled by default.

The feature, which follows the company’s decision to resume blocking of Visual Basic Application (VBA) macros for Office documents, is also expected to be backported to older versions of Windows and Windows Server.

Aside from malicious macros, brute-forced RDP access has long been one of the most popular methods used by threat actors to gain unauthorized access to Windows systems.

LockBit, which is one of the most active ransomware gangs of 2022, is known to often rely on RDP for initial foothold and follow-on activities. Other families seen using the same mechanism include Conti, Hive, PYSA, Crysis, SamSam, and Dharma.

In implementing this new threshold, the objective is to significantly diminish the effectiveness of the RDP attack vector and forestall intrusions that rely on password-guessing and compromised credentials.

“Brute-forcing RDP is the most common method used by threat actors attempting to gain access to Windows systems and execute malware, ” Zscaler noted last year.

“Threat actors scan for […] publicly open RDP ports to conduct distributed brute-force attacks. Systems that use weak credentials are easy targets, and, once compromised, attackers sell access to the hacked systems on the dark web to other cybercriminals.”

That said, Microsoft, in its documentation, warns of potential denial-of-service (DoS) attacks that could be orchestrated by abusing the Account lockout threshold policy setting.

“A malicious user could programmatically attempt a series of password attacks against all users in the organization,” the company notes. “If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.”