Microsoft is constantly improving Windows, and while regular users evaluate these efforts based on what they can actually see and use, the company is making many changes to the back end that primarily affect IT administrators, and the benefits are passed on to consumers without them. you know.. Microsoft today revealed one such key improvement it’s bringing to Windows 11.
In a tech blog post , Microsoft Senior Program Manager Ned Pyle detailed the change the company has made to Server Message Block (SMB) authentication in Windows 11.
In fact, back in March , Microsoft announced a feature called “SMB Authentication Rate Limiter” that became available to Insiders using Windows 11 and Windows Server. Pyle explains that IT staff often access the SMB service from their computer for quick actions like copying logs.
However, if an attacker gets their hands on an IT employee’s username, they can continually send local or Active Directory NTLM login attempts to the SMB server using an open source tool. If the organization’s security service has not configured any intrusion detection rules or firewall rules for that particular service, an attacker could end up guessing their password and using it as an entry point to further infiltrate their system. The same applies to the consumer who turns off the firewall settings and goes to an insecure network.
The SMB authentication rate limiter attempts to make the SMB service more complex and, as Pyle calls it, an “unattractive” target for an attacker by introducing a 2-second timeout for each failed NTLM authentication attempt. Thus, if an attacker sent 300 attempts per second for 5 minutes, then the same effort would now take 50 hours.
Although the SMB authentication rate limiter was disabled by default in Insider Editions of Windows 11 and Windows Server, Microsoft enabled it by default in the latest Windows 11 Dev Channel Build 25206, which was available yesterday. It is very important to understand that this change was not made in Windows Server vNext build 25206, which also became available at the same time.
You can see the current configuration by running the following command in PowerShell:
And you can customize the timeout configuration according to your preferences with the following PowerShell command:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
In the above command, “n” is defined in milliseconds and must be a multiple of 100. If you set it to 0, it means the SMB authentication rate limiter is disabled. If you’d like a more hands-on demo, check out Pyle’s helpful video below:
While this feature is available in Insider Preview on both Windows 11 and Windows Server, it’s only enabled by default on the former – if you’re running build 25206, that is. The reason for this is that Microsoft wants to collect feedback and see if there are any issues with this behavior before rolling it out to a wider audience. As such, Microsoft has asked Windows 11 users to report any abnormal behavior in the Feedback Hub. As with any preview feature, there is no guarantee that Microsoft will make it available to everyone in the near future.
This feature does not affect Kerberos authentication mechanisms. Microsoft plans to start a “security upgrade” campaign soon to phase out the behavior to SMB or legacy SMB on Windows releases, a more detailed roadmap will be posted soon.