https://aka.ms

SMB authentication rate limiter now on by default in Windows Insider

Heya folks, Ned here again. Back in the spring of 2022 we released a new SMB preview feature: the SMB authentication rate limiter. It is available in Windows 11 Insider and Windows Server Insider builds. IT staff often enable access to the SMB server service even on machines that aren't dedicated file servers for legitimate reasons like opening remote files or copying logs. A side effect of this is that SMB becomes a way to attempt authentication. Knowing a username, an attacker can send local or Active Directory NTLM logons to a machine using common opensource tools - from dozens to hundreds of logon attempts per second - to guess a password. If your organization has no intrusion detection software or doesn't set a password lockout policy, an attacker might guess a user's password in a matter of days or hours. A consumer user who turns off their firewall and brings their device to an unsafe network has a similar problem.

With the release of Windows 11 Insider Preview Build 25206 Dev Channel and Windows Server Preview Build 25997, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum. The goal here is to make a machine a very unattractive target for attacking local credentials through SMB.

To see the current value, run:

Get-SmbServerConfiguration

This setting has variable time configuration, and you can also disable it if you find some application compatibility issue. It's controlled by PowerShell:

Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n

The value is in milliseconds, must be a multiple of 100 (i.e., you can set it to 500, 2000, or 4800, but not 50 or 1337), and can be between 0-10000. Setting to 0 disables the feature.

Here's a demo

If you do find an app compat issue with this, file a feedback hub bug and tell me here so it's not lost in the shuffle. I am very interested in hearing about any issues with this new default, I won't ship with it on by default unless it's helping more than hurting.

The default inbound behavior of the SMB server itself does not change - unless you intentionally open your firewall or create a custom SMB share, thereby opening the firewall - SMB is still not accessible remotely to a machine by default.

This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB finishes connecting and the client talks directly to a KDC. It is designed to be another layer of defense in depth, especially for devices not joined to domains such as home users.

Final Notes

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

For more information on securing SMB on Windows in-market, check out:

Until nex time,

Ned Pyle