[Updated on 22 September 2022] SMB Server Authentication Rate Limiter Will Be On by Default in Windows Insider
The newest Windows 11 Insider and Windows Server Insider builds now ship with the SMB authentication rate limiter on by default. The feature helps protect systems from brute force attacks by significantly increasing the amount of time such attacks take: “The SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication.”
Note
- If you think back, protests against making a higher level of security the default almost invariably overhyped the potential disruption to real business operations and the protests quickly dissipated. Now is a great time for all software vendors to raise the bar and make real gains in security and privacy that will NOT impact productivity.
- Note this is Windows 11, starting with Insider Build 25206 and Windows Server Insider builds. This is off by default on the Server builds and needs to be enabled with the following PowerShell “Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n “. The interval must be in increments of 100, between 0 and 10,000. Also, make sure the local firewall li it’s SMB access appropriately.
- Peter Capek, who introduced me to the idea of rate limiting some forty years ago, recommended increasing the time between failed attempts exponentially, until reset by a successful attempt. This would resist most attacks without a noticeable impact on legitimate users.
Read more in
- This Windows 11 security feature makes your PC ‘very unattractive’ to password hackers
- Windows 11 gets better protection against SMB brute-force attacks
Overview
But that’s not the only good news for Windows 11 security nerds. In addition, Microsoft also announced a new security feature that will soon come to the OS and is currently ready for testing in Insider builds. Called the SMB authentication rate limiter, this new feature will block brute-force attacks against a Windows 11’s SMB service, where attackers try a large number of user/password combos in an attempt to log into a Windows system via its SMB service.
With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum. The goal here is to make a machine a very unattractive target for attacking local credentials through SMB.
Read more in
