[German]Microsoft is starting to improve protection for the SMB protocol in Windows 11. Thus, Microsoft has introduced a delay between SMB authentications in Windows 11 (in Insider Previews). This is intended to prevent spying on SMB traffic. There is also protection against SMB monitoring. Microsoft has published a couple of blog posts about the protections that have been put in place.
Windows 11 SMB Auth Rate Limiter
Microsoft introduces a new protection for SMB authentication in Windows 11. An SMB authentication rate limiter causes a 2-second delay between failed authentication requests. The following tweet points out this issue.
Microsoft has published the Techcommunity post SMB authentication rate limiter now on by default in Windows Insider. Ned Pyle explains the feature, which was introduced in Windows 11 and Windows Server in Insider versions.Often administrators enable access to the SMB server service on machines that are not dedicated file servers. The problem is that SMB gives hackers the ability to launch authentication attempts. If an attacker knows a username, he can use common open-source tools to send dozens to hundreds of local or Active Directory NTLM login attempts to a computer – to guess a password. If intruder detection software is not used or a password blocking policy is not put in place, an attacker can guess a user's password within days or hours. A home user who turns off his firewall and puts his device on an insecure network faces a similar problem.
This is exactly what the SMB authentication rate limiter is designed to stop. Windows 11 Insider Preview Build 25206 Dev Channel now defaults the SMB server service to a 2-second default between each failed incoming NTLM authentication. This means that an attacker who previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords) will now need at least 50 hours for the same number of attempts. The goal is to make a computer a very unattractive target for attacks on local credentials via SMB.
This setting can be configured to be variable in time, and you can also disable it if you find an application compatibility problem. You can query the current value with:
The configuration is done via PowerShell:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
The value is specified in milliseconds, must be a multiple of 100.
Protect SMB traffic from interception
In this article, Microsoft explains how an attacker can use interception techniques against the SMB protocol and how administrators can mitigate an attack. The concepts help administrators develop their own defense-in-depth strategy for the SMB protocol. In other tweets, Pyle also points to the following Microsoft posts:
- Beyond the Edge: How to Secure SMB Traffic in Windows
- Secure SMB Traffic in Windows Server
- SMB over QUIC
Cookies helps to fund this blog: Cookie settings