To defend against brute force attacks, Microsoft added an authentication rate limiter by default to the Windows SMB server in the latest insider preview build of Dev Channel.
This would now increase the gap between every failed NTLM authentication, making the attack slow and unattractive to the hacker. System admins need to execute a PowerShell command to enable this protection.
Protecting Windows 11 SMB
The Server Message Block (SMB) of Windows OS is one of the many elements that are frequently targeted by hackers – as it gives them deep access to the target’s machine. So to limit it, Microsoft has an authentication rate limiter in place – which restricts the number of times an authentication is made to the system per second.
This protection is now made default in Windows 11 SMB servers, Azure machines, and beta builds, with the latest Insider Preview Build 25206 to the Dev Channel. The protection now defaults to a 2-second default between each failed inbound NTLM authentication, thus widening the gap of frequent attacks – i.e., brute force attempts.
With this in place, a brute force attack with 300 attempts per second (totaling 90,000 attempts in 5 minutes) will now take 50 hours at a minimum for the same! With this drastic slowing of authentication, the SMB server will hopefully be a less attractive target for the hacker.
Well, this needs to be toggled on by the system admins initially by executing the following PowerShell command (where n is the delay time between each failed NTLM auth attempt);
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
Talking about this, the Principal Program Manager of the Microsoft Windows Server engineering group, Ned Pyle, said;
“We will harden, deprecate, or remove many legacy SMB and pre-SMB protocol behaviors over the next few major releases of operating systems in a security modernization campaign, similar to the removal of SMB1”.