Blog Post

Storage at Microsoft
7 MIN READ

SMB security hardening in Windows Server 2025 & Windows 11

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
Aug 23, 2024

Heya folks, Ned here again. Last November, Microsoft launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products.

Windows has focused on security options with each major release, and Windows 11 24H2 and Windows Server 2025 are no exception: they include a dozen new SMB features that make your data, your users, and your organization safer – and most are on by default. Today I’ll explain their usefulness, share some demos, and point to further details.

 

The new OSes will soon be generally available and you can preview them right now: download Windows Server 2025 and Windows 11 24H2.

 

On to the security.

 

SMB signing required by default

 

What it is

We now require signing by default for all Windows 11 24H2 SMB outbound and inbound connections and for all outbound connections in Windows Server 2025. This changes legacy behavior, where we required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing for their clients.

 

How it helps you

SMB signing has been available for decades and prevents data tampering and relay attacks that steal credentials. By requiring signing by default, we ensure that an admin or user must opt out of this safer configuration, instead of requiring them to be very knowledgeable about SMB network protocol security and turn signing on.

 

Learn more

 

SMB NTLM blocking

 

 

What it is

The SMB client now supports blocking NTLM authentication for remote outbound connections. This changes the legacy behavior of always using negotiated authentication that could downgrade from Kerberos to NTLM.

 

How it helps you

Blocking NTLM authentication prevents tricking clients into sending NTLM requests to malicious servers, which counteracts brute force, cracking, relay, and pass-the-hash attacks. NTLM blocking is also required for forcing an organization's authentication to Kerberos, which is more secure because it verifies identities with its ticket system and better cryptography. Admins can specify exceptions to allow NTLM authentication over SMB to certain servers.

 

Learn more

 

SMB authentication rate limiter

 

What it is

The SMB server service now throttles failed authentication attempts by default. This applies to SMB sharing files on both Windows Server and Windows.

 

How it helps you

Brute force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 attempts - would now take 50 hours to complete. An attacker is far more likely to simply give up than keep trying this method.

 

Learn more

 

SMB insecure guest auth now off by default in Windows Pro editions

 

What it is

Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years.

 

How it helps you

Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that makes a client think it's legitimate. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't enabled guest in server scenarios since Windows 2000.

 

Learn more

 

SMB dialect management

 

 

What it is

You can now mandate the SMB 2 and 3 protocol versions used.

 

How it helps you

Previously, the SMB server and client only supported automatically negotiating the highest matched dialect from SMB 2.0.2 to 3.1.1. This means you can intentionally block older protocol versions or devices from connecting. For example, you can specify connections to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.

 

Learn more

 

SMB client encryption mandate now supported

 

What it is

The SMB client now supports requiring encryption of all outbound SMB connections.

 

How it helps you

Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.

 

Learn more

 

Remote Mailslots deprecated and disabled by default

 

What it is

Remote Mailslots are deprecated and disabled by default for SMB and for DC locator protocol usage with Active Directory.

 

How it helps you

The Remote Mailslot protocol is an obsolete, simple, unreliable, IPC method first introduced in MS DOS. It is completely unsafe and has no authentication or authorization mechanisms.

 

Learn more

 

SMB over QUIC in Windows Server all editions

 

 

What it is

SMB over QUIC is now included in all Windows Server 2025 editions (Datacenter, Standard, Azure Edition), not just on Azure Edition like it was in Windows Server 2022.

 

How it helps you

SMB over QUIC is an alternative to the legacy TCP protocol and is designed for use on untrusted networks like the Internet. It uses TLS 1.3 and certificates to ensure that all SMB traffic is encrypted and usable through edge firewalls for mobile and remote users without the need for a VPN. The user experience does not change at all.

 

Learn more

 

SMB over QUIC client access control

 

What it is

SMB over QUIC client access control lets you restrict which clients can access SMB over QUIC servers. The legacy behavior allowed connection attempts from any client that trusts the QUIC server’s certificate issuance chain.

 

How it helps you

Client access control creates allow and block lists for devices to connect to the file server. A client would now need its own certificate and be on an allow list to complete the QUIC connection before any SMB connection occurs. Client access control gives organizations more protection without changing the authentication used when making the SMB connection and the user experience does not change. You can also completely disable the SMB over QUIC client or only allow connection to specific servers.

 

Learn more

 

SMB alternative ports

 

What it is

You can use the SMB client to connect to alternative TCP, QUIC, and RDMA ports than their IANA/IETF defaults of 445, 5445, and 443.

 

How it helps you

With Windows Server, this allows you to host an SMB over QUIC connection on an allowed firewall port other than 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers.

 

Learn more

 

SMB Firewall default port changes

 

What it is

The built-in firewall rules don’t contain the SMB NetBIOS ports anymore.

 

How it helps you

The NetBIOS ports were only necessary for SMB1 usage, and that protocol is deprecated and removed by default. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.

 

Learn more

 

SMB auditing improvements

 

What it is

SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.

 

How it helps you

It is much easier for you to determine if Windows and Windows Server devices are making SMB over QUIC connections. It is also much easier to determine if third parties support signing and encryption before mandating their usage.

 

Learn more

 

Summary

 

With the release of Windows Server 2025 and Windows 11 24H2, we have made the most changes to SMB security since the introduction of SMB 2 in Windows Vista. Deploying these operating systems fundamentally alters your security posture and reduces risk to this ubiquitous remote file and data fabric protocol used by organizations worldwide.

 

For more information on changes in Windows Server 2025, visit Windows Server Summit 2024 - March 26-28, 2024 | Microsoft Event. You will find dozens of presentations and demos on the latest features arriving this fall in our latest operating system.

 

And remember, you can try all of this right now: preview Windows Server 2025 and Windows 11 24H2.

 

Until next time,

 

- Ned Pyle

Updated Aug 23, 2024
Version 1.0
  • Second that James.

     

    Ned that's a fantastic summary of the neat SMB security improvements only.

     

    I really like the style of seeing what it is and it helps us / the customer.

     

    This could be a great default approach for

    "What's New in Windows Server...." docs.

     

    Thanks for taking the time to write this!

    Will share it to customers for sure. 

     

    Also hope that starting with Windows Server 2025 SMB over QUIC and controls, it will make VPN obsolete for many use cases. 

  • NedPyle thanks for the sharing by consolidating all SMB related topics together. 

    Looking forward those features to be available on coming soon.... Windows 11 and Windows Server 2025.

  • jrauman's avatar
    jrauman
    Iron Contributor

    Thanks Ned!  Has the security baselines for Server 2025 been released yet?  I went to the Microsoft Security Compliance Toolkit download page and it only has up to Server 2022.