Windows 11 to require SMB signing to prevent NTLM relay attacks


Microsoft says SMB signing (aka security signatures) will be required by default for all connections to defend against NTLM relay attacks, starting with today’s Windows build rolling out to Insiders in the Canary Channel.

In such attacks, threat actors force network devices (including domain controllers) to authenticate against malicious servers under the attackers’ control to impersonate them and elevate privileges to gain complete control over the Windows domain.

“This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them,” Microsoft said.

SMB signing helps block malicious authentication requests by confirming the sender’s and receiver’s identities via signatures and hashes embedded at the end of each message.

SMB servers and remote shares where SMB signing is disabled will trigger connect errors with various messages, including “The cryptographic signature is invalid,” “STATUS_INVALID_SIGNATURE,” “0xc000a000,” or “-1073700864.”

This security mechanism has been available for a while now, starting with Windows 98 and 2000, and it has been updated in Windows 11 and Windows Server 2022 to improve performance and protection by significantly accelerating data encryption.

Downsides of improved security

While blocking NTLM relay attacks should be at the top of the list for any security team, Windows admins might take issue with this approach since it could lead to lower SMB copy speeds.

“SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs,” Microsoft warned.

However, admins have the option to disable the SMB signing requirement in server and client connections by running the following commands from an elevated Windows PowerShell terminal:

Set-SmbClientConfiguration -RequireSecuritySignature $false
Set-SmbServerConfiguration -RequireSecuritySignature $false

While no system restart is required after issuing these commands, already opened SMB connections will continue using signing until they’re closed.

“Expect this default change for signing to come to Pro, Education, and other Windows editions over the next few months, as well as to Windows Server. Depending on how things go in Insiders, it will then start to appear in major releases,” said Microsoft Principal Program Manager Ned Pyle.

Today’s announcement is part of a broader move to improve Windows and Windows Server security, as shown throughout last year.

In April 2022, Microsoft announced the final phase of disabling SMB1 in Windows by disabling the 30-year-old file-sharing protocol by default for Windows 11 Home Insiders.

Five months later, the company announced better protection against brute-force attacks with the introduction of an SMB authentication rate limiter to tackle failed inbound NTLM authentication attempts.



Source link