Windows 11 security change: SMB signing becomes standard
by Tina Siering
SMB signing by default
Starting with Windows 11 Insider Preview Build 25381 (Enterprise edition), SMB signing is now required by default for all (network) connections. This changes the previous behaviour where Windows 10 and 11 required SMB signing by default only for connections to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when a client connected to them.
Earlier in the year, Microsoft had already announced further changes in the handling of the SMB protocol. First, SMB guest authentication was deactivated by default. An SMB authentication rate limit improved network logon by specifying how many logon attempts could be made within a two-second time limit.
The SMB protocol is used to share network files and allows applications on a computer to read and write files and request services from server programmes on a computer network. It is used, for example, when NAS devices are used for data backup.
Microsoft manager Ned Pyle explained the reason for this change in a blog post and informed that it will also apply to all other Windows versions as well as Windows Server. Although Windows and Windows Server have supported SMB signing for some time, it was previously optional.
Pyle also clarified that despite this change, SMB features will not be discontinued in future versions of Windows. Microsoft plans to continue releasing more secure SMB defaults and new SMB security options in the coming years. Security cannot be left to chance, he said.
The lack of signatures repeatedly harbours security vulnerabilities that are used especially for hacker attacks on corporate networks. They represent an attractive attack vector for man-in-the-middle attacks (MITM). In the worst case, a malicious attacker can gain read or copy access to an entire network via the login without leaving any traces.
We welcome Microsoft's decision:
Both the lack of SMB signing and thus the reliance on NTLM as an outdated authentication method is a recurring topic after pentests we have conducted or in discussions with customers who use our Active Cyber Defense (ACD) service. As part of the protocol analysis with our ACD customers, we also recommend the use of protocol versions such as SNMPv3, SMB3 and FTP(S) with encryption.