Microsoft says SMB signing (aka security signatures) will be required by default for all connections to defend against NTLM relay attacks, starting with the current version of Windows rolling out to Insiders in the Canary Channel.

In such attacks, threat actors force network devices (including domain controllers) to authenticate to malicious servers under attackers’ control to impersonate them and elevate privileges to gain complete control. on the Windows domain.

“This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when a client connected to them “, Microsoft said.

SMB signing helps block malicious authentication requests by confirming sender and recipient identities through embedded signatures and hashes at the end of each message.

SMB servers and remote shares where SMB signing is disabled will trigger connection errors with various messages, including “The cryptographic signature is invalid”, “STATUS_INVALID_SIGNATURE”, “0xc000a000”, or “-1073700864”.

This security mechanism has been available for a while now, starting with Windows 98 and 2000, and it’s been updated in Windows 11 and Windows Server 2022 to improve performance and protection by dramatically speeding up data encryption.

Disadvantages of Enhanced Security

While blocking NTLM relay attacks should be high on any security team’s list, Windows administrators might object to this approach because it could lead to reduced SMB copy speeds.

“SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs,” Microsoft warned.

However, administrators have the option to disable the SMB signing requirement in both server and client connections by running the following commands from an elevated Windows PowerShell terminal:

Set-SmbClientConfiguration -RequireSecuritySignature $false
Set-SmbServerConfiguration -RequireSecuritySignature $false

Although no system restart is required after issuing these commands, SMB connections that are already open will continue to use the signature until they are closed.

“Expect this signature default change to come to Pro, Education, and other Windows editions over the next few months, as well as Windows Server. Depending on how things go in Insiders, he will then start appearing in major releases,” said Ned Pyle, Senior Program Manager Microsoft.

Today’s announcement is part of a larger initiative to improve Windows and Windows Server security, as demonstrated over the past year.

In April 2022, Microsoft announced the final phase of deactivation of SMB1 in Windows by disabling the 30-year-old File Sharing Protocol for Windows 11 Home Insiders by default.

Five months later, the company announced better protection against brute force attacks with the introduction of an SMB authentication rate limiter to deal with failed incoming NTLM authentication attempts.