Microsoft has released a new Windows Server Long-Term Servicing Channel (LTSC) Preview build. The new build 25075 strengthens the defenses against brute-force dictionary attacks. Microsoft has accomplished this by implementing an Authentication rate limiter where a default 2-second delay between each failed New Technology LAN Manager (NTLM) or Challenge/Response authentication.
According to the company, this simple delay increases the time required for executing such attacks by insanely big proportions. In its example, Microsoft says that a 5 minute long 300 attempts would now require more than a full day (25 hours):
Starting in Windows Insider build 25069.1000.220302-1408 and later on Windows 11 and Windows Server 2022, the SMB Server service now implements a default 2-second delay between each failed NTLM-based authentication. This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes, the same number of attempts would now take 25 hours at a minimum.
However, Microsoft has also warned that doing so can cause issues with certain third-party applications, which is why right now, it is only an Insider feature. If issues come around, Microsoft has requested users to file for bugs in case the problem goes away when the feature is turned off. If, however, the issue persists, there is probably something else at play. The company notes that:
This setting is controllable by an administrator and can also be disabled. It's possible the default time and behaviors may change after we evaluate usage in Insiders and take feedback; it's also possible some third-party applications may have problems with this new feature - please use Feedback Hub to file bugs if you find that disabling the feature resolves your application's issue.
Here's how the new SMB NTLM Authentication Rate Limiter works:
This feature is controlled with PowerShell cmdlet:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs nThe value is in milliseconds, must be a multiple of 100 and can be 0-10000. Setting to 0 disables the feature.
To see the current value, run:
Get-SmbServerConfiguration
Available Downloads:
- Windows Server Long-Term Servicing Channel Preview in ISO format in 18 languages, and in VHDX format in English only.
- Microsoft Server Languages and Optional Features Preview
Keys are valid for preview builds only:
- Server Standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH
- Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
You can find the official release notes here.
5 Comments - Add comment