September 22, 2022

The newly released Windows 11 Insider Preview Build 25206 for the Dev Channel will ensure that Windows 11 SMB server is better protected against brute-force attacks.

Microsoft has enabled the SMB authentication rate limiter by default and tweaking some of its settings to make such attacks less effective. Once turned on, the feature adds a delay between each failed NTLM authentication as additional protection for the SMB server service.

While the SME server will be launched automatically on all versions of Windows, it is only exposed to the internet only if the firewall is opened manually or a customer SMB share is created to open it.

“With the release of Windows 11 Insider Preview Build 25206 Dev Channel today, the SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum,” said Ned Pyle, Principal Program Manager in the Microsoft Windows Server engineering group.

Administrators who want to take advantage of the new security feature on systems running Windows Server can activate it manually with the PowerShell command “Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n.”

The sources for this piece include an article in BleepingComputer.