N
NedPyle
Heya folks, Ned here again. Last November, Microsoft launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products.
Windows has focused on security options with each major release, and Windows 11 24H2 and Windows Server 2025 are no exception: they include a dozen new SMB features that make your data, your users, and your organization safer – and most are on by default. Today I’ll explain their usefulness, share some demos, and point to further details.
The new OSes will soon be generally available and you can preview them right now: download Windows Server 2025 and Windows 11 24H2.
On to the security.
We now require signing by default for all Windows 11 24H2 SMB outbound and inbound connections and for all outbound connections in Windows Server 2025. This changes legacy behavior, where we required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing for their clients.
SMB signing has been available for decades and prevents data tampering and relay attacks that steal credentials. By requiring signing by default, we ensure that an admin or user must opt out of this safer configuration, instead of requiring them to be very knowledgeable about SMB network protocol security and turn signing on.
The SMB client now supports blocking NTLM authentication for remote outbound connections. This changes the legacy behavior of always using negotiated authentication that could downgrade from Kerberos to NTLM.
Blocking NTLM authentication prevents tricking clients into sending NTLM requests to malicious servers, which counteracts brute force, cracking, relay, and pass-the-hash attacks. NTLM blocking is also required for forcing an organization's authentication to Kerberos, which is more secure because it verifies identities with its ticket system and better cryptography. Admins can specify exceptions to allow NTLM authentication over SMB to certain servers.
The SMB server service now throttles failed authentication attempts by default. This applies to SMB sharing files on both Windows Server and Windows.
Brute force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 attempts - would now take 50 hours to complete. An attacker is far more likely to simply give up than keep trying this method.
Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years.
Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that makes a client think it's legitimate. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't enabled guest in server scenarios since Windows 2000.
You can now mandate the SMB 2 and 3 protocol versions used.
Previously, the SMB server and client only supported automatically negotiating the highest matched dialect from SMB 2.0.2 to 3.1.1. This means you can intentionally block older protocol versions or devices from connecting. For example, you can specify connections to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
The SMB client now supports requiring encryption of all outbound SMB connections.
Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
Remote Mailslots are deprecated and disabled by default for SMB and for DC locator protocol usage with Active Directory.
The Remote Mailslot protocol is an obsolete, simple, unreliable, IPC method first introduced in MS DOS. It is completely unsafe and has no authentication or authorization mechanisms.
SMB over QUIC is now included in all Windows Server 2025 editions (Datacenter, Standard, Azure Edition), not just on Azure Edition like it was in Windows Server 2022.
SMB over QUIC is an alternative to the legacy TCP protocol and is designed for use on untrusted networks like the Internet. It uses TLS 1.3 and certificates to ensure that all SMB traffic is encrypted and usable through edge firewalls for mobile and remote users without the need for a VPN. The user experience does not change at all.
SMB over QUIC client access control lets you restrict which clients can access SMB over QUIC servers. The legacy behavior allowed connection attempts from any client that trusts the QUIC server’s certificate issuance chain.
Client access control creates allow and block lists for devices to connect to the file server. A client would now need its own certificate and be on an allow list to complete the QUIC connection before any SMB connection occurs. Client access control gives organizations more protection without changing the authentication used when making the SMB connection and the user experience does not change. You can also completely disable the SMB over QUIC client or only allow connection to specific servers.
You can use the SMB client to connect to alternative TCP, QUIC, and RDMA ports than their IANA/IETF defaults of 445, 5445, and 443.
With Windows Server, this allows you to host an SMB over QUIC connection on an allowed firewall port other than 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers.
The built-in firewall rules don’t contain the SMB NetBIOS ports anymore.
The NetBIOS ports were only necessary for SMB1 usage, and that protocol is deprecated and removed by default. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.
It is much easier for you to determine if Windows and Windows Server devices are making SMB over QUIC connections. It is also much easier to determine if third parties support signing and encryption before mandating their usage.
With the release of Windows Server 2025 and Windows 11 24H2, we have made the most changes to SMB security since the introduction of SMB 2 in Windows Vista. Deploying these operating systems fundamentally alters your security posture and reduces risk to this ubiquitous remote file and data fabric protocol used by organizations worldwide.
For more information on changes in Windows Server 2025, visit Windows Server Summit 2024 - March 26-28, 2024 | Microsoft Event. You will find dozens of presentations and demos on the latest features arriving this fall in our latest operating system.
And remember, you can try all of this right now: preview Windows Server 2025 and Windows 11 24H2.
Until next time,
- Ned Pyle
Continue reading...
Windows has focused on security options with each major release, and Windows 11 24H2 and Windows Server 2025 are no exception: they include a dozen new SMB features that make your data, your users, and your organization safer – and most are on by default. Today I’ll explain their usefulness, share some demos, and point to further details.
The new OSes will soon be generally available and you can preview them right now: download Windows Server 2025 and Windows 11 24H2.
On to the security.
SMB signing required by default
What it is
We now require signing by default for all Windows 11 24H2 SMB outbound and inbound connections and for all outbound connections in Windows Server 2025. This changes legacy behavior, where we required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing for their clients.
How it helps you
SMB signing has been available for decades and prevents data tampering and relay attacks that steal credentials. By requiring signing by default, we ensure that an admin or user must opt out of this safer configuration, instead of requiring them to be very knowledgeable about SMB network protocol security and turn signing on.
Learn more
- Control SMB signing behavior (preview) | Microsoft Learn
- SMB signing required by default in Windows Insider - Microsoft Community Hub
SMB NTLM blocking
What it is
The SMB client now supports blocking NTLM authentication for remote outbound connections. This changes the legacy behavior of always using negotiated authentication that could downgrade from Kerberos to NTLM.
How it helps you
Blocking NTLM authentication prevents tricking clients into sending NTLM requests to malicious servers, which counteracts brute force, cracking, relay, and pass-the-hash attacks. NTLM blocking is also required for forcing an organization's authentication to Kerberos, which is more secure because it verifies identities with its ticket system and better cryptography. Admins can specify exceptions to allow NTLM authentication over SMB to certain servers.
Learn more
- SMB NTLM blocking now supported in Windows Insider - Microsoft Community Hub
- Block NTLM connections on SMB (preview) | Microsoft Learn
- Demo:
SMB authentication rate limiter
What it is
The SMB server service now throttles failed authentication attempts by default. This applies to SMB sharing files on both Windows Server and Windows.
How it helps you
Brute force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 attempts - would now take 50 hours to complete. An attacker is far more likely to simply give up than keep trying this method.
Learn more
- SMB authentication rate limiter now on by default in Windows Insider - Microsoft Community Hub
- Configure SMB authentication rate limiter for Windows (preview) | Microsoft Learn
- Demo:
SMB insecure guest auth now off by default in Windows Pro editions
What it is
Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years.
How it helps you
Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that makes a client think it's legitimate. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't enabled guest in server scenarios since Windows 2000.
Learn more
- SMB insecure guest auth now off by default in Windows Insider Pro editions - Microsoft Community Hub
- Enable insecure guest logons in SMB2 and SMB3 for Windows client and Windows Server | Microsoft Learn
SMB dialect management
What it is
You can now mandate the SMB 2 and 3 protocol versions used.
How it helps you
Previously, the SMB server and client only supported automatically negotiating the highest matched dialect from SMB 2.0.2 to 3.1.1. This means you can intentionally block older protocol versions or devices from connecting. For example, you can specify connections to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
Learn more
- SMB dialect management now supported in Windows Insider - Microsoft Community Hub
- Manage SMB dialects in Windows (preview) | Microsoft Learn
- Demo:
SMB client encryption mandate now supported
What it is
The SMB client now supports requiring encryption of all outbound SMB connections.
How it helps you
Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
Learn more
- SMB client encryption mandate now supported in Windows Insider - Microsoft Community Hub
- Configure the SMB client to require encryption in Windows (preview) | Microsoft Learn
Remote Mailslots deprecated and disabled by default
What it is
Remote Mailslots are deprecated and disabled by default for SMB and for DC locator protocol usage with Active Directory.
How it helps you
The Remote Mailslot protocol is an obsolete, simple, unreliable, IPC method first introduced in MS DOS. It is completely unsafe and has no authentication or authorization mechanisms.
Learn more
- The beginning of the end of Remote Mailslots as part of Windows Insider - Microsoft Community Hub
- Deprecated features in the Windows client | Microsoft Learn
- Features removed or no longer developed starting with Windows Server 2025 (preview) | Microsoft Learn
SMB over QUIC in Windows Server all editions
What it is
SMB over QUIC is now included in all Windows Server 2025 editions (Datacenter, Standard, Azure Edition), not just on Azure Edition like it was in Windows Server 2022.
How it helps you
SMB over QUIC is an alternative to the legacy TCP protocol and is designed for use on untrusted networks like the Internet. It uses TLS 1.3 and certificates to ensure that all SMB traffic is encrypted and usable through edge firewalls for mobile and remote users without the need for a VPN. The user experience does not change at all.
Learn more
- SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions - Microsoft Community Hub
- Configure SMB over QUIC client access control in Windows Server | Microsoft Learn
- SMB over QUIC in Windows | Microsoft Learn
- Demo:
SMB over QUIC client access control
What it is
SMB over QUIC client access control lets you restrict which clients can access SMB over QUIC servers. The legacy behavior allowed connection attempts from any client that trusts the QUIC server’s certificate issuance chain.
How it helps you
Client access control creates allow and block lists for devices to connect to the file server. A client would now need its own certificate and be on an allow list to complete the QUIC connection before any SMB connection occurs. Client access control gives organizations more protection without changing the authentication used when making the SMB connection and the user experience does not change. You can also completely disable the SMB over QUIC client or only allow connection to specific servers.
Learn more
- SMB over QUIC client access control now supported in Windows Insider - Microsoft Community Hub
- Configure SMB over QUIC client access control in Windows Server | Microsoft Learn
- Demo:
SMB alternative ports
What it is
You can use the SMB client to connect to alternative TCP, QUIC, and RDMA ports than their IANA/IETF defaults of 445, 5445, and 443.
How it helps you
With Windows Server, this allows you to host an SMB over QUIC connection on an allowed firewall port other than 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers.
Learn more
- SMB alternative ports now supported in Windows Insider - Microsoft Community Hub
- Configure alternative SMB ports for Windows Server (preview) | Microsoft Learn
SMB Firewall default port changes
What it is
The built-in firewall rules don’t contain the SMB NetBIOS ports anymore.
How it helps you
The NetBIOS ports were only necessary for SMB1 usage, and that protocol is deprecated and removed by default. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
Learn more
- SMB firewall rule changes in Windows Insider - Microsoft Community Hub
- Secure SMB Traffic in Windows Server | Microsoft Learn
SMB auditing improvements
What it is
SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.
How it helps you
It is much easier for you to determine if Windows and Windows Server devices are making SMB over QUIC connections. It is also much easier to determine if third parties support signing and encryption before mandating their usage.
Learn more
Summary
With the release of Windows Server 2025 and Windows 11 24H2, we have made the most changes to SMB security since the introduction of SMB 2 in Windows Vista. Deploying these operating systems fundamentally alters your security posture and reduces risk to this ubiquitous remote file and data fabric protocol used by organizations worldwide.
For more information on changes in Windows Server 2025, visit Windows Server Summit 2024 - March 26-28, 2024 | Microsoft Event. You will find dozens of presentations and demos on the latest features arriving this fall in our latest operating system.
And remember, you can try all of this right now: preview Windows Server 2025 and Windows 11 24H2.
Until next time,
- Ned Pyle
Continue reading...