Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25951 (Canary), the SMB client now supports blocking NTLM for remote outbound connections. This changes legacy behavior, where Windows SPNEGO would negotiate Kerberos, NTLM, and other mechanisms with the destination server to decide on a supported security package. NTLM in this case refers to all versions of the LAN Manager security package: LM, NTLM, and NTLMv2.
With this new option, an administrator can intentionally block Windows from offering NTLM via SMB. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and cannot brute force, crack, or pass hashes. This adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS.
Note: This setting has no effect on loopback SMB NTLM usage, i.e. mapping a drive locally on a device with a local account.
Configuring SMB NTLM Blocking
You can configure this option with Group Policy and PowerShell. You can also block NTLM SMB connections on demand with NET USE and PowerShell.
Group Policy
To configure SMB NTLM blocking for the entire Windows machine, enable the group policy under:
Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation \ Block NTLM (LM, NTLM, NTLMv2)
PowerShell (global)
To configure SMB NTLM blocking for the entire Windows machine with PowerShell, set with the following syntax:
Set-SMbClientConfiguration -BlockNTLM $true
NET USE
To specify SMB NTLM blocking when mapping a drive with NET USE, use the following syntax:
NET USE \\server\share /BLOCKNTLM
New-SmbMapping
To specify SMB NTLM blocking when mapping a drive with PowerShell, use the following syntax:
New-SmbMapping -RemotePath \\server\share -BlockNTLM $true
Troubleshooting SMB NTLM Blocking
Connecting to Active Directory domain-joined computers with SMB while using a domain user account should always result in Kerberos authentication. Blocking NTLM should have no consequences to connectivity in this case. If you are expecting Kerberos to work when blocking NTLM and you are unable to connect, this section will help troubleshoot.
When NTLM is expected
You should expect NTLM usage under the following circumstances:
- The client connects using an IP address.
- The Kerberos CIFS Service Principal Name is missing in AD for the SMB server.
- The credential used for the SMB server is a local user account.
The possible errors shown when NTLM blocking is preventing connection are:
67
0x43
ERROR_BAD_NET_NAME
The network name cannot be found
Troubleshooting
If you expect to connect but NTLM blocking is preventing you, use the following steps:
- Verify that NTLM blocking is the culprit by temporarily disabling it on the client. The nature of NTLM blocking's current errors in Windows Insider means that it is easy to confuse NTLM blocking with unrelated networking problems like DNS name resolution.
- If connecting with IP address, switch to using a fully-qualified domain name. To use IP addresses with Kerberos, review Configuring Kerberos for IP Address.
- Verify the destination SMB server has its HOST SPN records registered by using SETSPN -L SMBSERVERNAME. For example:
setspn -L FS2
Registered ServicePrincipalNames for CN=FS2,CN=Computers,DC=corp,DC=contoso,DC=com:
WSMAN/fs2
WSMAN/fs2.corp.contoso.com
TERMSRV/FS2.corp.contoso.com
RestrictedKrbHost/FS2.corp.contoso.com
HOST/FS2.corp.contoso.com
TERMSRV/FS2
RestrictedKrbHost/FS2
HOST/FS2
If still unable to connect, use a network capture tool like Wireshark to examine the client and server messages for DNS, SMB2, and Kerberos.
Final notes
A later Windows Insider release will allow administrators to control SMB NTLM blocking to specific servers with an allow list. A client will be able to specify SMB servers that only support NTLM - either as non-domain members or third-party products - and allow connection.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
SMB support for NTLM blocking is just the first phase in a larger strategy to end NTLM usage throughout Windows. Look for more information on this in the coming weeks.
Until next time,
Ned Pyle