Microsoft is trying to improve the resilience of its own ecosystem against cybercrime attacks with a number of measures. Remote maintenance via RDP gets brute force protection, macros in documents from the Internet should now be blocked again and Windows also protects passwords better. The problem with this: Microsoft doesn’t bother to document it properly.
Last week, Microsoft Vice President David Weston tweeted that Windows 11 builds now have an “Account Lockout Policy” active by default. Accordingly, after ten failed login attempts within 10 minutes, access will be blocked for 10 minutes in the future. According to Weston, this will prevent trying out simple passwords via RDP, which is often used in ransomware attacks.
Attacks via RDP are indeed still a key gateway for cybercrime gangs using ransomware. However, these RDP intrusions usually take place via otherwise stolen access data, for example when infected with spy software such as Emotet. It is at least questionable whether the so-called brute forcing of passwords actually plays a significant role in ransomware attacks.
Macros blocked again
In February, Microsoft announced in a blog post that it would block the execution of macros in the future if an Office document came from the Internet – i.e. it came to the computer via e-mail or a download. Well-crafted phishing emails that persuade the user to open an Office document prepared with macros are the trademark of many so-called initial access brokers such as Emotet, who then sell the hijacked accesses to ransomware gangs.
Blocking this gateway for malware was unanimously welcomed by security experts. However, after heise Security, among others, noticed that the macro lock that was actually already active did not work (anymore), Microsoft quickly updated the article that the protection function had been deactivated again. And last week there was a second update that they will be rolled out again from July 27th.
Better password protection
Microsoft quietly fixed a security problem in the protection of privileged Windows processes that attackers could use to steal passwords or at least their hashes on a system. Cyber criminals do this routinely in order to spread further in the company networks (lateral movement) before they deploy their encryption Trojans.
One of the most important attack targets is the Windows process lsass.exe, which handles all user login processes in the background and keeps passwords or their hashes in the main memory. By default, an attacker with administrator rights can read them. Microsoft admins therefore recommend protecting lsass.exe from such access as Protected Process Light (PPL).
But the PPL protection could be circumvented with a trick. The PPLdump tool demonstrated how a normal process (with admin rights) can read out the main memory of lsass.exe despite PPL by injecting a DLL. However, with a patch of the NTDLL library that was rolled out in July 2022, the trick used no longer works. After more than a year, Microsoft has secretly improved the PPL protection, the author of PPLdump noted, puzzled.
The fact that Microsoft is continuously working to improve Windows security is commendable. It would be even better if they also reliably published and documented these changes. But anyone who relies on Microsoft’s official communication channels will not notice anything. A short message on Twitter, updates from MS blog posts that are months old, or the research of a keen security researcher – these are currently the typical sources from which information on security improvements in the Windows environment has to be found.
To home page