Microsoft announced that Windows 11 SMB Server is now better protected against brute force attacks with the release of Insider Preview Build 25206 on the Dev Channel.
Redmond has enabled the SMB authentication rate limiter by default and changed some of its settings to make such attacks less effective, starting with the latest Windows 11 Insider development build.
“With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB Server service now defaults to a default value of 2 seconds between each incoming NTLM authentication failure”, Explain Ned Pyle, Senior Program Manager in the Microsoft Windows Server Engineering Group.
“This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take a minimum of 50 hours.”
When enabled, this feature adds a delay between each NTLM authentication failure as an additional protection for the SMB server service.
“The goal here is to make a Windows client an unattractive target, whether in a workgroup or for their local accounts when joined to a domain,” added Microsoft’s Amanda Langowski and Brandon LeBlanc.
Although the SMB server is started automatically on all versions of Windows, it will only be exposed to the Internet if the firewall is opened manually or if a client SMB share is created to open it.
How to Activate on Windows Server
SMB Authentication Rate Limiter was first introduced in March in Windows Server, Windows Server Azure Edition, and Windows 11 Insider builds, although they are not enabled by default.
To take advantage of enhanced brute-force attack protection on systems running Windows Server, administrators must manually enable it using the following PowerShell command (where n is the delay between each failed attempt to NTLM authentication):
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
“This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects. It is designed to be another layer of defense in depth, especially for non-domain related devices such as home users,” Pyle added.
Today’s announcement comes after Microsoft revealed several other SMB security enhancements in recent years, including switch default 30 year old SMBv1 file sharing protocol (for some users) and SMB over QUIC reach general availability in Windows 11 and Windows Server 2022.
“We will be strengthening, deprecating, or removing many legacy behaviors from the SMB and pre-SMB protocols over the next major releases of operating systems as part of a security modernization campaign, similar to the removal of SMB1” , concluded Pyle.