Windows 11 blocks ransomware

Microsoft It introduces a new security target for Windows 11 designed to prevent ransomware attacks, which begin with hacked password and credential-guessing attacks.

The new account credential security target is designed to help thwart ransomware attacks launched via compromised credentials or brute-force password attacks on popular RDP (Remote Desktop Protocol) endpoints on the web.

RDP remains the most popular method of initial access for ransomware spreaders, with groups that specialize in hacking RDP endpoints and selling them to gain access to others.

The new feature will be introduced with the recent Insider Test build in Windows 11, but also windows 10 Desktop and server port the feature, so Dave Weston, Vice President of OS Security and Enterprise at Microsoft. “Win11 versions now have a default account lockout policy to reduce RDP and other brute-force password vectors. This technique is commonly used in human-operated ransomware and other attacks – this control will make brute-forcing more difficult which is great,” Weston wrote. . Weston emphasized “Default” because the policy is already an option in Windows 10 but it is not enabled by default.

This is big news and parallels Microsoft’s default web macro ban Desk on Windows devices, which is also an important way for malware to attack Windows systems via email attachments and links.

Microsoft suspended the default internet macro ban this month, but it will unblock it again soon. Blocking untrusted macros by default is an effective countermeasure against a technique that relies on tricking end users into clicking an option to enable macros (which are disabled by default), although Office cautions against doing so. A cybersecurity expert welcomed the new account’s suspension.

British security expert Kevin Beaumont wrote: “Oh my God, they make the RDP input problem – between macros and RDP, this makes almost all Windows/MS ransomware entries.” “Assuming this is included in a monthly (wide distribution) security patch, this will solve one of the most important entry points for ransomware (Source: My team deals with 5,000 security incidents annually),” he added.

The default settings can be found in the Account Lockout Policy guide for local computers running Windows policies. The default account lockout time is 10 minutes, the account lockout limit is set to a maximum of 10 invalid login attempts, the Allow account lockout for administrators setting is enabled, and the Reset account lockout counter setting is set to 10 minutes.

Regardless of ransomware attacks, Windows 11 Security Control should address the common problem of brute force attacks with passwords, such as b-brute credential filling, which is very effective when multi-factor authentication (MFA) is not enabled for an account. As Beaumont recently pointed out, MFA is not included in the RDP and it is easy to enforce authentication.

Microsoft has not commented on how the new security control will be rolled out in Windows 11 and Windows 10, but it could be included in a future security update. According to Weston, the control should be available in Windows 11 Insider Preview Build 22528.1000 and later.

Microsoft has tried to improve the overall security foundation for Windows customers. In May, the company began rolling out Security Authorizations to millions of customers who use Azure Active Directory. The default settings ensure that customers can enable MFA when needed, based on the user’s location, device, role, and mission.