Heya folks, Ned here again. Back in the spring of 2022 we released a new SMB preview feature: the SMB authentication rate limiter. It is available in Windows 11 Insider and Windows Server Insider builds. IT staff often enable access to the SMB server service even on machines that aren't dedicated file servers for legitimate reasons like opening remote files or copying logs. A side effect of this is that SMB becomes a way to attempt authentication. Knowing a username, an attacker can send local or Active Directory NTLM logons to a machine using common opensource tools - from dozens to hundreds of logon attempts per second - to guess a password. If your organization has no intrusion detection software or doesn't set a password lockout policy, an attacker might guess a user's password in a matter of days or hours. A consumer user who turns off their firewall and brings their device to an unsafe network has a similar problem.
With the release of Windows 11 Insider Preview Build 25206 Dev Channel and Windows Server Preview Build 25997, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum. The goal here is to make a machine a very unattractive target for attacking local credentials through SMB.
Update April 3, 2024: official documentation now available at Configure SMB authentication rate limiter for Windows (preview) | Microsoft Learn
To see the current value, run:
Get-SmbServerConfiguration
This setting has variable time configuration, and you can also disable it if you find some application compatibility issue. It's controlled by PowerShell:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
The value is in milliseconds, must be a multiple of 100 (i.e., you can set it to 500, 2000, or 4800, but not 50 or 1337), and can be between 0-10000. Setting to 0 disables the feature.
Here's a demo
If you do find an app compat issue with this, file a feedback hub bug and tell me here so it's not lost in the shuffle. I am very interested in hearing about any issues with this new default, I won't ship with it on by default unless it's helping more than hurting.
The default inbound behavior of the SMB server itself does not change - unless you intentionally open your firewall or create a custom SMB share, thereby opening the firewall - SMB is still not accessible remotely to a machine by default.
This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB finishes connecting and the client talks directly to a KDC. It is designed to be another layer of defense in depth, especially for devices not joined to domains such as home users.
Final Notes
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until nex time,
Ned Pyle