SMB authentication rate limiter now on by default in Windows Insider
Published Sep 21 2022 11:01 AM 7,557 Views
Microsoft

Heya folks, Ned here again. Back in the spring of 2022 we released a new SMB preview feature: the SMB authentication rate limiter. It is available in Windows 11 Insider and Windows Server Insider builds. IT staff often enable access to the SMB server service even on machines that aren't dedicated file servers for legitimate reasons like opening remote files or copying logs. A side effect of this is that SMB becomes a way to attempt authentication. Knowing a username, an attacker can send local or Active Directory NTLM logons to a machine using common opensource tools - from dozens to hundreds of logon attempts per second - to guess a password. If your organization has no intrusion detection software or doesn't set a password lockout policy, an attacker might guess a user's password in a matter of days or hours. A consumer user who turns off their firewall and brings their device to an unsafe network has a similar problem.  

 

With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum. The goal here is to make a machine a very unattractive target for attacking local credentials through SMB. 

 

In various other releases, it was off by default. Now it's on. The feature otherwise doesn't change except for some bug fixes.

 

To see the current value, run: 

  

Get-SmbServerConfiguration 

 

This setting has variable time configuration, and you can also disable it if you find some application compatibility issue. It's controlled by PowerShell:  

  

Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n 

  

The value is in milliseconds, must be a multiple of 100 (i.e., you can set it to 500, 2000, or 4800, but not 50 or 1337), and can be between 0-10000. Setting to 0 disables the feature.

 

Here's a demo 

 

 

If you do find an app compat issue with this, file a feedback hub bug and tell me here so it's not lost in the shuffle. I am very interested in hearing about any issues with this new default, I won't ship with it on by default unless it's helping more than hurting.

 

Note that this default behavior changes does not apply to Windows Server Insider builds yet. Windows Server Insider builds contain the feature but it is off by default.  And the default inbound behavior of the SMB server itself does not change - unless you intentionally open your firewall or create a custom SMB share - thereby opening the firewall - SMB is still not accessible remotely to a machine by default.  

 

This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects. It is designed to be another layer of defense in depth, especially for devices not joined to domains such as home users. 

 

This continues the next generation of SMB and file server security enhancements first begun with SMB over QUIC in Windows 11 and Windows Server 2022. We will harden, deprecate, or remove many legacy SMB and pre-SMB protocol behaviors over the next few major releases of operating systems in a security modernization campaign, similar to the removal of SMB1. I plan to share a roadmap in a coming blog series as we get near the end of the year, stay tuned.

 

For more information on SMB security, come back to visit us here at https://aka.ms/filecab. The build to download with this new default is Windows 11 Insider Preview Build 25206 Dev Channel

 

Until nex time,

 

Ned Pyle

2 Comments
Co-Authors
Version history
Last update:
‎Sep 21 2022 11:04 AM
Updated by: