Heya folks, Ned here again. With the release of Windows 11 Insider Preview Build 25314 and Windows Server Preview Build 25314, we have started disabling the Remote Mailslot protocol by default. This is a precursor to deprecation and eventual removal from Windows. You aren't using this extremely legacy protocol unless you're also using the deprecated and disabled-by-default SMB1 protocol, so 99.97% of you have nothing to worry about. For those who are, a bit more information:
Remote Mailslots
The Remote Mailslot protocol is a very old, simple, unreliable, insecure IPC method. A server creates a mailslot and a client writes messages to it using NetBIOS datagrams as a transport when operating over a network with Windows. The sender of the mailslot message formats the SMB_COM_TRANSACTION message and sends it as a NetBIOS datagram. The Proto-SMB1 Common Internet File System (CIFS) Browser Protocol uses "\MAILSLOT\LANMAN" and "\MAILSLOT\BROWSE", for instance.
Mailslots are older than Windows NT, dating back to LAN Manager DOS days. It goes without saying that this protocol is disgusting. If you've been an IT Pro for a few decades, you might recall people using the anonymous NET SEND command (MAILSLOT\Messngr) to broadcast important messages to all logged on users, or more likely, this kind of crap:
What changed
Starting with Windows 11 Insider Preview Build 25314, remote mailslot is disabled by default. If you have manually re-enabled SMB1 (which has been disabled by default since Windows 10) and some application is still using a Remote Mailslot, they will see one of the following errors:
3025
ERROR_REMOTE_MAILSLOTS_DEPRECATED
βThe requested operation failed. Remote mailslots have been deprecated.β
Contact your vendor about updating their software to join the 21st century, as it both requires SMB1 and Remote Mailslot. This protocol is not secure, was replaced decades ago by better technology, and should not be used under any circumstances.
If you need to re-enable Remote Mailslots temporarily while you yell at your vendor or developer, use the following PowerShell command:
PS C:\> Set-SmbClientConfiguration -EnableMailslots $true
Remote Mailslots will get officially deprecated in the next release of Windows and Windows Server, meaning that it can eventually be removed altogether. That will take time and there will be plenty of public warning, just like SMB1 had.
Final notes
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
- Ned Pyle
Microsoft
