Microsoft’s SMB server service on Windows 11 has been given an update aimed at making it better at defending against brute-force attacks.
In the operating system’s latest Windows 11 2022 update, the Insider Preview Build 25206, recently pushed to the Dev Channel, SMB authentication rate limiter is enabled by default.
What’s more, a couple of other settings have been tweaked to make these attacks “less effective”.
Unattractive target
“With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication,” Ned Pyle, Principal Program Manager in the Microsoft Windows Server engineering group, said in a blog post (opens in new tab) announcing the news.
“This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum.”
In other words, by toggling the feature on, there is a delay between each unsuccessful NTLM authentication attempt, making the SMB server service more resilient to brute-force attacks.
“The goal here is to make a Windows client an unattractive target either when in a workgroup or for its local accounts when joined to a domain,” Microsoft’s Amanda Langowski and Brandon LeBlanc chimed in.
The authentication rate limiter, which is not enabled by default, was first introduced to Windows Server, Windows Server Azure Edition, and Windows 11 Insider builds, some six months ago. The SMB server, on the other hand, does launch automatically on all versions. It needs to be exposed to the internet, though, by manually opening a firewall.
Those interested in trying out the new feature need to run this PowerShell command:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
“This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects. It is designed to be another layer of defense in depth, especially for devices not joined to domains such as home users,” Pyle also said