Microsoft’s SMB server service on Windows 11 has received an update that aims to make it better at defending against brute-force attacks.
In the operating system’s latest Windows 11 2022 update, Insider Preview Build 25206, which was recently pushed to the Dev Channel, SMB authentication rate limiter is enabled by default.
Also, a few other settings have been tweaked to make these attacks “less effective”.
“With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed incoming NTLM authentication,” said Ned Pyle, Principal Program Manager of Microsoft Windows Server engineering group. in a blog post (opens in new tab) announces the news.
“This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take at least 50 hours.”
In other words, by turning the feature on, there is a delay between each failed NTLM authentication attempt, making the SMB server service more resilient to brute-force attacks.
“The goal here is to make a Windows client an unattractive target, either when it’s in a workgroup or for its local accounts when it joins a domain,” Microsoft’s Amanda Langowski and Brandon LeBlanc said.
The authentication rate limiter, which is not enabled by default, was first introduced to Windows Server, Windows Server Azure Edition, and Windows 11 Insider builds about six months ago. The SMB server, on the other hand, starts automatically on all versions. However, it must be exposed to the Internet by manually opening a firewall.
Those interested in trying out the new feature should run this PowerShell command:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
“This behavior change has no effect on Kerberos, which is authenticated before an application protocol like SMB connects. It is designed to be another layer of defense in depth, especially for non-domain-joined devices such as home users,” Pyle also said