๐ Secure Bits ๐ก
๐๐ถ๐ฑ ๐๐ผ๐ ๐ธ๐ป๐ผ๐ you can enforce lockout โ ๐ฒ๐๐ฒ๐ป ๐๐ต๐ฒ๐ป ๐ฎ ๐ฑ๐ฒ๐๐ถ๐ฐ๐ฒ ๐ถ๐ โ๐ผ๐ณ๐ณ๐น๐ถ๐ป๐ฒโ?
Normally, Windows relies on domain controllers and ๐๐ฎ๐ฑ๐ฃ๐๐ฑ๐๐ผ๐๐ป๐ to enforce account lockouts. But if a ๐ฑ๐ฒ๐๐ถ๐ฐ๐ฒ ๐ถ๐ ๐ผ๐ณ๐ณ๐น๐ถ๐ป๐ฒ (no line of sight to DCs), an attacker ๐ฐ๐ผ๐๐น๐ฑ ๐ฏ๐ฟ๐๐๐ฒ-๐ณ๐ผ๐ฟ๐ฐ๐ฒ cached credentials without triggering traditional lockout policies.
This is where a not well known configuration comes in:
๐ก๏ธ ๐ ๐ฎ๐ฐ๐ต๐ถ๐ป๐ฒ ๐๐ฐ๐ฐ๐ผ๐๐ป๐ ๐๐ผ๐ฐ๐ธ๐ผ๐๐ ๐ง๐ต๐ฟ๐ฒ๐๐ต๐ผ๐น๐ฑ
โ
With this setting, Windows enforces a lockout even without DC access.
๐ If ๐๐ถ๐๐๐ผ๐ฐ๐ธ๐ฒ๐ฟ is enabled, it triggers a ๐ณ๐๐น๐น ๐ฑ๐ฒ๐๐ถ๐ฐ๐ฒ ๐น๐ผ๐ฐ๐ธ๐ผ๐๐ and requires the 48-digit recovery key.
๐ Without BitLocker, it simply reboots the machine โ a speed bump at best.
Windows already slows down failed logons over time. Only ๐๐ถ๐๐๐ผ๐ฐ๐ธ๐ฒ๐ฟ-๐ฏ๐ฎ๐๐ฒ๐ฑย lockout truly raises the bar.
๐ ๐ฐ๐ฎ๐ป ๐ถ๐บ๐ฎ๐ด๐ถ๐ป๐ฒ ๐๐๐ผ ๐ฟ๐ฒ๐น๐ฒ๐๐ฎ๐ป๐ ๐ฎ๐๐๐ฎ๐ฐ๐ธ ๐๐ฐ๐ฒ๐ป๐ฎ๐ฟ๐ถ๐ผ๐:
1๏ธโฃ Device left unattended or stolen โ attacker tries passwords at login screen.
2๏ธโฃ Device stolen and BitLocker is only TPM-based โ brute-force attempts still possible.
Recommendation is to configure this GPO ๐ฎ๐ฏ๐ผ๐๐ฒ ๐๐ผ๐๐ฟ ๐๐๐ฎ๐ป๐ฑ๐ฎ๐ฟ๐ฑ ๐๐ ๐น๐ผ๐ฐ๐ธ๐ผ๐๐ย policy. If AD lockout is 10 attempts, set this to 15.
๐ย ๐๐ฃ๐ข ๐ฃ๐ฎ๐๐ต:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon: Machine account lockout threshold
Have you used this setting before? Do you see a need for it in your organization?
