Windows 11 now has much better protection against brute-force attacks
>
Microsoft’s SMB server service on Windows 11 has received an update aimed at better protecting it against brute-force attacks.
In the latest Windows 11 2022 update of the operating system, the Insider Preview Build 25206, which was recently pushed to the Dev Channel, the SMB authentication speed limiter is enabled by default.
In addition, a number of other settings have been adjusted to make these attacks “less effective”.
Unattractive target
“With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a default value of 2 seconds between each failed inbound NTLM authentication,” said Ned Pyle, Principal Program Manager in the Microsoft Windows Server engineering group. in a blog post (opens in new tab) announce the news.
“This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take a minimum of 50 hours.”
In other words, by enabling the feature, there is a delay between each failed NTLM authentication attempt, making the SMB server service more resilient to brute-force attacks.
“The goal here is to make a Windows client an unattractive target, either in a workgroup or for its local accounts when it’s joined to a domain,” added Microsoft’s Amanda Langowski and Brandon LeBlanc.
The authentication speed limiter, which is not enabled by default, was first introduced in Windows Server, Windows Server Azure Edition, and Windows 11 Insider builds about six months ago. The SMB server, on the other hand, starts automatically on all versions. However, it must be exposed to the Internet by manually opening a firewall.
Those interested in trying out the new feature should run this PowerShell command:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
“This behavior change has no effect on Kerberos, which authenticates before an application protocol such as SMB connects. It is designed as an additional layer of defense, especially for devices that are not joined to domains such as home users,” Pyle also said.