Windows 11 to require SMB signing to prevent NTLM relay attacks
Microsoft says SMB signing (aka security signatures) will be required by default for all connections to defend against NTLM relay attacks, starting with today's Windows build (Enterprise edition) rolling out to Insiders in the Canary Channel.
In such attacks, threat actors force network devices (including domain controllers) to authenticate against malicious servers under the attackers' control to impersonate them and elevate privileges to gain complete control over the Windows domain.
"This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them," Microsoft said.
SMB signing helps block malicious authentication requests by confirming the sender's and receiver's identities via signatures and hashes embedded at the end of each message.
SMB servers and remote shares where SMB signing is disabled will trigger connect errors with various messages, including "The cryptographic signature is invalid," "STATUS_INVALID_SIGNATURE," "0xc000a000," or "-1073700864."
This security mechanism has been available for a while now, starting with Windows 98 and 2000, and it has been updated in Windows 11 and Windows Server 2022 to improve performance and protection by significantly accelerating data encryption.
While blocking NTLM relay attacks should be at the top of the list for any security team, Windows admins might take issue with this approach since it could lead to lower SMB copy speeds.
"SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs," Microsoft warned.
However, admins have the option to disable the SMB signing requirement in server and client connections by running the following commands from an elevated Windows PowerShell terminal:
While no system restart is required after issuing these commands, already opened SMB connections will continue using signing until they're closed.
"Expect this default change for signing to come to Pro, Education, and other Windows editions over the next few months, as well as to Windows Server. Depending on how things go in Insiders, it will then start to appear in major releases," said Microsoft Principal Program Manager Ned Pyle.
Today's announcement is part of a broader move to improve Windows and Windows Server security, as shown throughout last year.
In April 2022, Microsoft announced the final phase of disabling SMB1 in Windows by disabling the 30-year-old file-sharing protocol by default for Windows 11 Home Insiders.
Five months later, the company announced better protection against brute-force attacks with the introduction of an SMB authentication rate limiter to tackle failed inbound NTLM authentication attempts.
Windows 11 will let you view phone photos in File Explorer
Windows 11 finally gets a 'never combine taskbar buttons' mode
Microsoft testing improved Explorer details pane, Windows Spotlight
Microsoft enables LSA protection by default in Windows Canary build
Windows 11 Moment 3 hands on, here's everything new