Jump to content

SMB security hardening in Windows Server 2025 & Windows 11


Recommended Posts

Guest NedPyle
Posted

Heya folks, Ned here again. Last November, Microsoft launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products.

 

Windows has focused on security options with each major release, and Windows 11 24H2 and Windows Server 2025 are no exception: they include a dozen new SMB features that make your data, your users, and your organization safer – and most are on by default. Today I’ll explain their usefulness, share some demos, and point to further details.

 

 

 

The new OSes will soon be generally available and you can preview them right now: download Windows Server 2025 and Windows 11 24H2.

 

 

 

On to the security.

 

 

 

[HEADING=1]SMB signing required by default[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

We now require signing by default for all Windows 11 24H2 SMB outbound and inbound connections and for all outbound connections in Windows Server 2025. This changes legacy behavior, where we required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing for their clients.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

SMB signing has been available for decades and prevents data tampering and relay attacks that steal credentials. By requiring signing by default, we ensure that an admin or user must opt out of this safer configuration, instead of requiring them to be very knowledgeable about SMB network protocol security and turn signing on.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]SMB NTLM blocking[/HEADING]

 

 

 

[ATTACH type=full" alt="Picture2.png]63764[/ATTACH]

 

 

 

[HEADING=2]What it is[/HEADING]

 

The SMB client now supports blocking NTLM authentication for remote outbound connections. This changes the legacy behavior of always using negotiated authentication that could downgrade from Kerberos to NTLM.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

Blocking NTLM authentication prevents tricking clients into sending NTLM requests to malicious servers, which counteracts brute force, cracking, relay, and pass-the-hash attacks. NTLM blocking is also required for forcing an organization's authentication to Kerberos, which is more secure because it verifies identities with its ticket system and better cryptography. Admins can specify exceptions to allow NTLM authentication over SMB to certain servers.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]SMB authentication rate limiter[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

The SMB server service now throttles failed authentication attempts by default. This applies to SMB sharing files on both Windows Server and Windows.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

Brute force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 attempts - would now take 50 hours to complete. An attacker is far more likely to simply give up than keep trying this method.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]SMB insecure guest auth now off by default in Windows Pro editions[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that makes a client think it's legitimate. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't enabled guest in server scenarios since Windows 2000.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]SMB dialect management[/HEADING]

 

 

 

[ATTACH type=full" alt="Picture3.png]63765[/ATTACH]

 

 

 

[HEADING=2]What it is[/HEADING]

 

You can now mandate the SMB 2 and 3 protocol versions used.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

Previously, the SMB server and client only supported automatically negotiating the highest matched dialect from SMB 2.0.2 to 3.1.1. This means you can intentionally block older protocol versions or devices from connecting. For example, you can specify connections to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

 

[HEADING=1]SMB client encryption mandate now supported[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

The SMB client now supports requiring encryption of all outbound SMB connections.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]Remote Mailslots deprecated and disabled by default[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

Remote Mailslots are deprecated and disabled by default for SMB and for DC locator protocol usage with Active Directory.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

The Remote Mailslot protocol is an obsolete, simple, unreliable, IPC method first introduced in MS DOS. It is completely unsafe and has no authentication or authorization mechanisms.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]SMB over QUIC in Windows Server all editions[/HEADING]

 

 

 

[ATTACH type=full" alt="2024-08-23_08-28-33.png]63766[/ATTACH]

 

 

 

[HEADING=2]What it is[/HEADING]

 

SMB over QUIC is now included in all Windows Server 2025 editions (Datacenter, Standard, Azure Edition), not just on Azure Edition like it was in Windows Server 2022.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

SMB over QUIC is an alternative to the legacy TCP protocol and is designed for use on untrusted networks like the Internet. It uses TLS 1.3 and certificates to ensure that all SMB traffic is encrypted and usable through edge firewalls for mobile and remote users without the need for a VPN. The user experience does not change at all.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

 

[HEADING=1]SMB over QUIC client access control[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

SMB over QUIC client access control lets you restrict which clients can access SMB over QUIC servers. The legacy behavior allowed connection attempts from any client that trusts the QUIC server’s certificate issuance chain.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

Client access control creates allow and block lists for devices to connect to the file server. A client would now need its own certificate and be on an allow list to complete the QUIC connection before any SMB connection occurs. Client access control gives organizations more protection without changing the authentication used when making the SMB connection and the user experience does not change. You can also completely disable the SMB over QUIC client or only allow connection to specific servers.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

 

[HEADING=1]SMB alternative ports[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

You can use the SMB client to connect to alternative TCP, QUIC, and RDMA ports than their IANA/IETF defaults of 445, 5445, and 443.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

With Windows Server, this allows you to host an SMB over QUIC connection on an allowed firewall port other than 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]SMB Firewall default port changes[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

The built-in firewall rules don’t contain the SMB NetBIOS ports anymore.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

The NetBIOS ports were only necessary for SMB1 usage, and that protocol is deprecated and removed by default. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]SMB auditing improvements[/HEADING]

 

 

 

[HEADING=2]What it is[/HEADING]

 

SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.

 

 

 

[HEADING=2]How it helps you[/HEADING]

 

It is much easier for you to determine if Windows and Windows Server devices are making SMB over QUIC connections. It is also much easier to determine if third parties support signing and encryption before mandating their usage.

 

 

 

[HEADING=2]Learn more[/HEADING]

 

 

 

[HEADING=1]Summary[/HEADING]

 

 

 

With the release of Windows Server 2025 and Windows 11 24H2, we have made the most changes to SMB security since the introduction of SMB 2 in Windows Vista. Deploying these operating systems fundamentally alters your security posture and reduces risk to this ubiquitous remote file and data fabric protocol used by organizations worldwide.

 

 

 

For more information on changes in Windows Server 2025, visit Windows Server Summit 2024 - March 26-28, 2024 | Microsoft Event. You will find dozens of presentations and demos on the latest features arriving this fall in our latest operating system.

 

 

 

And remember, you can try all of this right now: preview Windows Server 2025 and Windows 11 24H2.

 

 

 

Until next time,

 

 

 

- Ned Pyle

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...