Brute-Force Attacks on Windows 11 Get Harder

Microsoft is changing how it treats failed attempts to log on to Windows 11 remotely using remote desktop protocol.

The default policy for Windows 11 will soon lock accounts for ten minutes after ten failed login attempts – slowing down brute force attacks.

The policy change affects Insider Preview 22528.1000 initially but is expected to be rolled out more widely, assuming there's no major pushback from customers to the preview.

While the change is better than nothing, there are a lot of better ways to keep your Windows 11 accounts secure - not least because the change provides an opportunity for attackers to programmatically lock out all known users - including system administrators!

Two-Factor Authentication

Instead of allowing attackers to log on with just a username/password combination - something you know - two-factor authentication forces users to provide proof of an additional type of proof - something the user HAS (such as the code displayed on a secure access token) or something they ARE (a human with a fingerprint or facial profile matching that which was previously registered).

Deploying two-factor authentication used to be costly - with all users having to be issued with their own physical access tokens. But now that almost all employees have fingerprint-reading Android devices or facial-scanning iPhones, mobile-based authenticator apps that get the phone to check user biometrics have become common - especially as they're supported by Azure AD - Microsoft's cloud-hosted version of Active Directory.

Although the focus here is on the second factor, the big benefit is that it enables organisations to reduce the adverse impact of insecure passwords, reused passwords, stolen passwords and shared passwords.

Two-factor authentication isn't perfect, but it's good enough to solve a huge percentage of credential-related security problems.

Zero Trust Network Access

Even if you require two-factor authentication for remote access to your network, you may still not have a secure network.

Why? Because you've still got a barely-monitored access-anything path into the heart of your network. Sure, that path is only accessible to authenticated users, but that's not enough to guarantee security.

Even if your remote users are utterly trustworthy, the software running on their devices may not be.

ZTNA adds a layer of protection by introducing a network proxy that acts as a gatekeeper to network resources - allowing you to restrict what remote users (and in-office users) can do when connected to the network.

End-Point Security

Even if you've got two-factor authentication and users' ability to connect to network resources is carefully defined, there still a big security hole to fill - if data processing happens on end-user devices.

The hole? Corporate data - such as customer lists, confidential plans and trade secrets could be copied, for example to USB sticks, USB drives, or unencrypted local hard drives.

End-point security helps you stop that from happening. It does require that end-user devices run OS-specific security software. But as almost everyone has a computer running Windows, macOS, Linux, Android or iOS, that's not necessarily a problem. Clients exist which can keep an eye out for malware and restrict the copying of corporate files to unauthorised locations.

Such end-point security can be provided on its own or as part of a ZTNA solution.

To protect your remote workers from cybersecurity threats, talk to hSo about getting a ZTNA, End-Point Protection and Network-Level Malware Filtering. Call us on 020 7847 4510 or email us at info@hso.co.uk.