Windows 11 strengthens SMB traffic protection

Windows[German]Microsoft is starting to improve protection for the SMB protocol in Windows 11. Thus, Microsoft has introduced a delay between SMB authentications in Windows 11 (in Insider Previews). This is intended to prevent spying on SMB traffic. There is also protection against SMB monitoring. Microsoft has published a couple of blog posts about the protections that have been put in place.


Advertising

Windows 11 SMB Auth Rate Limiter

Microsoft  introduces a new protection for SMB authentication in Windows 11. An SMB authentication rate limiter causes a 2-second delay between failed authentication requests. The following tweet points out this issue.

SMB auth rate-limiter in Windows 11

Microsoft has published the Techcommunity post SMB authentication rate limiter now on by default in Windows Insider. Ned Pyle explains the feature, which was introduced in Windows 11 and Windows Server in Insider versions.Often administrators enable access to the SMB server service on machines that are not dedicated file servers. The problem is that SMB gives hackers the ability to launch authentication attempts. If an attacker knows a username, he can use common open-source tools to send dozens to hundreds of local or Active Directory NTLM login attempts to a computer – to guess a password. If intruder detection software is not used or a password blocking policy is not put in place, an attacker can guess a user's password within days or hours. A home user who turns off his firewall and puts his device on an insecure network faces a similar problem.

This is exactly what the SMB authentication rate limiter is designed to stop. Windows 11 Insider Preview Build 25206 Dev Channel now defaults the SMB server service to a 2-second default between each failed incoming NTLM authentication. This means that an attacker who previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords) will now need at least 50 hours for the same number of attempts. The goal is to make a computer a very unattractive target for attacks on local credentials via SMB.

This setting can be configured to be variable in time, and you can also disable it if you find an application compatibility problem. You can query the current value with:


Advertising

Get-SmbServerConfiguration

The configuration is done via PowerShell: 

Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n

The value is specified in milliseconds, must be a multiple of 100.

Protect SMB traffic from interception

Ned Pyle points to another post Protect SMB traffic from interception  in the following tweet.

Protect SMB traffic from interception

In this article, Microsoft explains how an attacker can use interception techniques against the SMB protocol and how administrators can mitigate an attack. The concepts help administrators develop their own defense-in-depth strategy for the SMB protocol. In other tweets, Pyle also points to the following Microsoft posts:


Advertising

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).