Windows 11’s SMB server service has been updated to better defend against brute-force attacks.
SMB authentication rate limiter is enabled by default in the latest Windows 11 2022 update, Insider Preview Build 25206.
In addition, a few other settings have been tweaked to make these attacks “less effective”.
Unattractive target
In a blog post (opens in new tab) announcing the news, Ned Pyle, Senior Program Manager in the Microsoft Windows Server engineering group, wrote, “With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service defaults to a 2-second default between each failed inbound NTLM authentication.”
Accordingly, if an attacker previously sent 300 brute force attempts per second for 5 minutes (90,000 passwords), it would now take at least 50 hours to make the same number of attempts.
By enabling this feature, there will be a delay between unsuccessful NTLM authentication attempts, which makes the SMB server service more resilient to brute-force attacks.
Microsoft’s Amanda Langowski and Brandon LeBlanc explained, “The goal here is to make a Windows client an unattractive target either in a workgroup or for its local accounts in a domain.”
Six months ago, Windows Server, Windows Server Azure Edition, and Windows 11 Insider builds introduced the authentication rate limiter, which is not enabled by default. All versions of SMB, however, launch automatically. A firewall must be manually opened to expose it to the internet, however.
To test out the new feature, run the following PowerShell command:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
In addition, Pyle added that this behavior change has no bearing on Kerberos, which authenticates before an application protocol like SMB can connect. Kerberos is designed to provide another layer of defense in depth, especially for devices not joined to domains like home users.