Microsoft is deploying new features and defaults to help keep threat actors from remotely accessing networks, but you can do more. Credit: FireMon / D3Damon / Getty Images One long-favored way that ransomware enters your system is through Microsoft’s Remote Desktop Protocol (RDP) attacks. Years ago when we used Microsoft’s Terminal Services (from which RDP evolved) for shared remote access inside or outside of an office, attackers would use a tool called TSGrinder. It would first review a network for Terminal Services traffic on port 3389. Then attackers would use tools to guess the password to gain network access. They would go after administrator accounts first. Even if we changed the administrator account name or moved the Terminal Services protocol to another port, attackers would often sniff the TCP/IP traffic and identify where it was moved to.Attackers still go after our remote access, this time via RDP. With human-operated ransomware techniques, attackers gain access and then use higher privileges to gain more access in a network. You have several ways to protect your network from brute-force or other targeted remote attacks. Use administrator accounts with blank passwordsBelieve it or not, one way to block such attacks is to have a blank password for the administrator account. Using the Group Policy setting “Accounts: Limit local account use of blank passwords to console logon only” blocks the ability for anyone to remote into the network with a blank password. While this clearly is not an ideal protection, it’s an interesting one that’s been available in Group Policy since Server 2003.Set Windows 11 lockout policiesIncluded in the Insider releases of Windows 11 and ultimately coming to Windows 11 22H2 will be a new policy that will set a more granular lockout policy than we currently have with Windows 10 or server platforms. The lockout policy in Windows 10 and Windows 11 appears as follows: You get three policies: “Account locker duration”, “Account lockout threshold”, and one to reset account lockout counter after a set number of minutes.Windows 11 22H2 will ship with one more policy setting and with the following defaults: Account lockout duration will be set to 10 minutes.Account lockout threshold will be set to 10 invalid logon attempts.Reset account lockout counter after 10 minutes.In addition, there is a new setting: “Allow Administrator account lockout”. In social media posts, David Weston, Microsoft’s vice president for Enterprise and Operating system security, indicated that this would be backported to Windows 10.Add multi-factor authentication and account lockout toolsWhat should you do in the meantime? RDP is responsible for roughly 70% to 80% of network breaches, so I recommend upping the ante. That starts with adding multi-factor authentication to the remote process.TS_Block is a tool that blocks brute-force Terminal Services login attempts. As the developer notes in the readme file, it is “a VBScript program that acts as a WMI event sink to receive events logged by Windows in response to invalid Terminal Services logons.” It will:Block logons from an IP address with a username flagged as “block immediately.”Block IP addresses if more logon attempts are made than the preset allowance in a time period.The “block immediately” usernames and thresholds associated with repeated logon attempts are configurable with these default settings:Block immediately usernames – administrator, root, guestLogon attempts allowed – 5 in 120 seconds (2 minutes)Duration of block – 300 seconds (5 minutes)It also comes with a Group Policy administrative template file.Account lockout is not new. In fact, it’s been discussed for many years, but we often don’t take the time to review user security baselines and other defaults as recommended by Microsoft or NIST. Case in point is a blog post from 2014 on configuring account lockout thresholds. Review your password policiesEncourage the use of smart cards or other processes that do not rely on passwords. You should also set standards for password length and complexity.Microsoft will be setting default password policies going forward, but you should adjust and tweak them to your needs. If you are getting many help-desk calls to reset passwords, review what the root cause is. Do you not have a reasonable password policy? Do you not have a process to self-change and reset passwords? Do you rely only on passwords and not use more modern technology that allows for authentication process that are easier for the end user, but at the same time more secure by design? If you find after rolling out these defaults in your Windows 11 environment that it causes more issues in your environment, you may need to review and add technology rather than remove the default policies. Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe