Microsoft to Enable SMB Authentication Rate Limiter By Default in Windows 11

Windows 11 approved hero 3

Back in March, Microsoft started testing a new SMB authentication rate limiter feature in Windows 11 and Windows Server. Now, the company has enabled this feature by default in the latest Windows 11 preview build 25206 for Insiders in the Dev Channel.

The Server Message Block (SMB) protocol is a network protocol that lets users communicate with remote computers or servers. It allows apps to read and write files and request services from server programs. Moreover, the NT LAN Manager (NTLM) is a suite of security protocols used to authenticate a client to a resource on an Active Directory domain.

According to Microsoft, an attacker can intercept the NTLM credentials during communication between client and server. It is also possible to use open source tools for sending multiple local or Active Directory (AD) NTLM logon requests to the SMB server. This technique makes it easier for hackers to guess the password and move laterally across the corporate network.

Windows 11 gets better protection against brute force attacks

With this release, the SMB server now adds a 2-second timeout limit on each failed NTLM authentication attempt by default. This should help to reduce the attack surface and provide additional protection against brute-force attacks on Windows 11 machines.

“This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum. The goal here is to make a machine a very unattractive target for attacking local credentials through SMB,” the Windows Insider team explained.

Microsoft says that IT admins can run the “Get-SmbServerConfiguration” PowerShell command to check their current configuration. They can also change the timeout configuration by running the following command: Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n

You can see how it works in the video below:

Currently, the SMB authentication rate limiter feature is only enabled by default for Dev Channel Insiders on Windows 11. The Windows Insider team will continue to listen to user feedback to address any issues before rolling it out to the production channel. There is no ETA available on when this security feature will go live, but Microsoft has requested Windows 11 users to report bugs on the Feedback Hub.

Earlier this week, Microsoft released the Windows 11 2022 Update with several new features, including Smart App Control. It helps to prevent potentially malicious apps from running on Windows PCs. Microsoft has also enabled some existing security features by default for new Windows 11 devices.