Microsoft has introduced a new default to shield Windows 11 machines against password attacks which ought to make them “a very unattractive target” for hackers trying to steal credentials.
The latest preview of Windows 11 ships with the SMB server authentication rate limiter on by default, making it much more time-consuming for attackers to target the server with password-guessing attacks.
“The SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication,” explains Microsoft security expert Ned Pyle.
“This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum. The goal here is to make a machine a very unattractive target for attacking local credentials through SMB.”
The rate limiter was previewed this March but is now the default on Windows 11.
SMB refers to the Server Message Block (SMB) network file sharing protocol. Windows and Windows Server come with the SMB server enabled. NTLM refers to the NT Lan Manager (NTLM) protocol for client-sever authentication with, for example, Active Directory (AD) NTLM logons.
An attacker on a network can pose as a ‘friendly server’ to intercept NTLM credentials transmitted between client and server. Another option is using a known username and then guessing the password with multiple logon attempts. Without the default rate limiter setting, an attacker could guess the password within days or hours, without being spotted, notes Pyle.
The SMB default rate limiter setting is available in the Windows 11 Insider Preview Build 25206 to the Dev Channel. While the SMB server runs by default in Windows, it’s not accessible by default. The SMB server rate limiter will however serve a purpose because admins often make it accessible when creating a customer SMB share that opens the firewall.
“Starting in Build 25206, it is on by default and set to 2000ms (2 seconds). Any bad usernames or passwords sent to SMB will now cause a 2 second delay by default in all editions of Windows Insiders. When first released to Windows Insiders, this protection mechanism was off by default. This behavior change was not made to Windows Server Insiders, it still defaults to 0,” the Windows Insider team notes.
The new default should help in situations where users or admins configure machines and networks in a way that exposes them to password guess attacks.
“If your organization has no intrusion detection software or doesn’t set a password lockout policy, an attacker might guess a user’s password in a matter of days or hours. A consumer user who turns off their firewall and brings their device to an unsafe network has a similar problem,” explains Pyle.
Microsoft is gradually rolling out more secure defaults in Windows 11. Earlier this year it introduced a default account lockout policy to mitigate RDP and other brute force password attacks.
And in the Windows 11 2022 Update Microsoft added several more security defaults, such as Smart App Control to only allow safe apps to run, and by default blocking PowerShell, LNK files, and Visual Basic scripts from the internet.
Pyle has also posted a demo of the SMB rate limiter in action.