Windows Server Insider Build 25075 Brings New Brute Force Attack Prevention Capabilities

Microsoft has announced the release of a new Windows Server Insider Preview Build 25075. The latest build is for the next Long-Term Servicing Channel (LTSC) release for the OS, which should be Windows Server version 2022.

This new Windows Server build brings new security capabilities that should help organizations to prevent brute-force dictionary attacks. Microsoft has introduced a new SMB NTLM authentication limiting feature, which adds a 2-second delay between each failed New Technology LAN Manager (NTLM) or PKU2U-based authentication request.

“Starting in Windows Insider build 25069.1000.220302-1408 and later on Windows 11 and Windows Server 2022, the SMB Server service now implements a default 2-second delay between each failed NTLM-based authentication. This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes, the same number of attempts would now take 25 hours at a minimum,” the Windows Server Insider team explained.

For those unfamiliar, the Server Message Block (SMB) is a popular file server protocol. It lets users communicate with remote PCs and servers to access their resources such as files and directories or perform tasks like sharing, opening, and editing documents.

The SMB server service is usually enabled on non-file server machines so that users can access remote files and copy logs. However, threat actors could abuse the SMB authentication mechanism to launch brute-force dictionary attacks on vulnerable machines. The new SMB NTLM authentication limiting feature allows IT Admins to slow down the brute force attacks targeted at SMB endpoints.

The Windows Server Insider team has recently released a 3-minute video demonstration of the SMB NTLM Authentication Rate Limiter feature.

The SMB NTLM Authentication Rate Limiter feature can cause issues with select third-party apps

Keep in mind that this new SMB NTLM Authentication Rate Limiter is still an experimental feature, and it may trigger issues with select third-party applications. The company also encourages Windows Server users to provide their feedback on the Feedback Hub.

Microsoft is also planning to bring this feature to Windows 11 Insider Dev Channel and Windows Server Azure Edition Insider builds in the coming weeks. If you’re interested, you can learn more about the new SMB NTLM authentication rate limiter on Microsoft’s official blog post.