New Windows 11 Default Policy to Help Prevent RDP Brute-Force Attacks
Microsoft has enabled a default policy in Windows 11 builds that is designed to help thwart brute-force Remote Desktop Protocol (RDP) attacks. Accounts will be locked for 10 minutes after 10 incorrect login attempts. The account lock setting is available in Windows 10 but is not enabled by default.
Nice move by Microsoft. RDP has been called "Ransomware Deployment Protocol" for a reason. Sadly, it is still widely deployed without sufficient controls and Microsoft's move will make it slightly less likely for a carelessly deployed system to be compromised.
Two security policies that have been common requirements that have been too often ignored or bypassed are lockout after failed attempts and requiring MFA on all remote access. Microsoft turning on lockout by default for RDP is a good thing, but turning on MFA for RDP obviates the need for lockout and stops more than just brute force attacks.
Account lockout is excellent, and you should enable it on all platforms which support it. Now go make sure that any internet facing RDP requires MFA, and is sufficiently monitored and otherwise secured to withstand malfeasance.
It is good to see a vendor like Microsoft making security by default the standard setting in its newer products. It has been a long time coming and I hope we see this initiative spread to many other settings and products, not just those offered by Microsoft but for other vendors too.
This control is not disruptive and might well be enabled by default.