Microsoft’s SMB Server service in Windows 11 has been updated to better protect against brute-force attacks.
In the latest Windows 11 2022 OS update, Insider Preview Build 25206, recently ported to Dev Channel, the SMB Authentication Rate Limiter is enabled by default.
Moreover, several other settings have been tweaked to make these attacks “less effective”.
“With today’s release of Windows 11 Insider Preview Build 25206 Dev Channel, the SMB server service now defaults to 2 seconds by default between each failed inbound NTLM authentication,” said Ned Pyle, general program manager at Microsoft Windows Server engineering group. in a blog post (opens in a new tab) announcing the news.
“This means that if the attacker previously sent 300 brute force attempts per second for 5 minutes (90,000 passwords) from the client, the same number of attempts would now take at least 50 hours.”
In other words, when this feature is enabled, there is a delay between each failed NTLM authentication attempt, making the SMB Server service more resistant to brute force attacks.
“The goal here is to make the Windows client an unattractive target for both the workgroup and local accounts after joining a domain,” interjected Microsoft’s Amanda Langowski and Brandon LeBlanc.
Authentication speed limiter, which is not enabled by default, was first introduced in Windows Server, Windows Server Azure Edition, and Windows 11 Insider builds about six months ago. On the other hand, the SMB server starts automatically in all versions. However, it must be made accessible to the Internet by manually opening the firewall.
Those interested in trying out the new feature must run this PowerShell command:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
“This behavior change has no effect on Kerberos, which authenticates before connecting to an application protocol such as SMB. It’s designed to be another layer of in-depth protection, especially for non-domain-joined devices like home users, ”said Pyle.