Microsoft continually makes enhancements to Windows and while general users judge these efforts based on what they can actually see and use, the company makes a lot of changes on the backend that primarily affect IT admins, with benefits being downstreamed to consumers without them knowing about it. Today, Microsoft has highlighted one such key enhancement it is making to Windows 11.
In a technical blog post, Microsoft Principal Program Manager Ned Pyle has detailed a change that the company has made to Server Message Block (SMB) authentication in Windows 11.
Basically, back in March, Microsoft announced a feature called "SMB authentication rate limiter" which was made available to Insiders using Windows 11 and Windows Server.
Pyle explains that IT staff members often access the SMB service from their machine for quick activities such as copying logs. However, if an attacker gets their hands on an IT staff member's username, they can continuously send local or Active Directory NTLM logon attempts to the SMB server through open-source tools. If an organization's security team hasn't configured some sort of intrusion detection or firewall rules on this particular service, an attacker could eventually guess their password and use it as an entry point to further infiltrate their system. The same also applies to a consumer who turns off firewall settings and takes it to an unsafe network.
SMB authentication rate limiter tries to make the SMB service a difficult and, as Pyle calls it, "unattractive" target for an attacker by introducing a 2-second timeout limit on each failed NTLM authentication attempt. So, if an attacker was sending 300 attempts per second for 5 minutes, the same number of attempts would now require 50 hours.
Although SMB authentication rate limiter was off by default in Insider releases of Windows 11 and Windows Server, Microsoft has enabled it by default in the latest Windows 11 Dev Channel build 25206 that was made available yesterday. It is very important to understand that this change has not been made to the Windows Server vNext build 25206 that was also made available at the same time.
You can see the current configuration by running the following command in PowerShell:
And you can adjust the timeout configuration according to your preference through the following PowerShell command:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
In the aforementioned command, "n" is defined in milliseconds and needs to be a multiple of 100. If you set it to 0, that indicates that the SMB authentication rate limiter has been disabled. If you'd like a more practical demonstration, check out Pyle's helpful video below:
Although the feature is available in preview for Insiders on both Windows 11 and Windows Server, it is only enabled by default for the former - if you're on build 25206, that is. The reason for this is that Microsoft wants to gather feedback and see if there are any issues that originate from this behavior before rolling it out to a wider audience. As such, Microsoft has requested Windows 11 users to file any abnormal behavior to the Feedback Hub. As with every preview feature, there's no guarantee that Microsoft will roll it out to everyone in the near future.
This feature does not affect Kerberos authentication mechanisms. Microsoft plans to begin a "security modernization" campaign soon to ditch pre-SMB or legacy SMB behaviors iteratively in Windows releases, a more elaborate roadmap will be shared soon.