Earlier today, Microsoft released the latest Canary channel update of Windows 11 for members of the Insiders program. The new 25381 build for Enterprise editions now requires Server Message Block (SMB) signing by default for all connections.
In a blog post, Microsoft Principal Program Manager Ned Pyle explained the reason for this move and also revealed that this change will be coming to more versions of Windows, along with Windows Server.
While versions of both Windows and Windows Server have supported SMB signing for quite a while, Microsoft has been making a lot of recent moves to make it a bigger part of Windows security.
In March 2022, Microsoft added the SMB authentication rate limiter to Insider builds. This rate limiter put in a 2-second timeout limit on each failed NTLM authentication attempt. That in theory should make it much harder for hackers to make multiple attempts to sign in.
In January 2023, Microsoft said that Windows 11 Pro will soon start disabling insecure SMB guest authentication fallbacks. Today, Pyle stated this new move to make SMB signing the default is "part of a campaign to improve the security of Windows and Windows Server for the modern landscape."
Pyle added:
Expect this default change for signing to come to Pro, Education, and other Windows editions over the next few months, as well as to Windows Server. Depending on how things go in Insiders, it will then start to appear in major releases.
In addition, we shouldn't expect this to be the end for SMB features in future versions of Windows, according to Pyle:
We'll continue to push out more secure SMB defaults and many new SMB security options in the coming years; I know they can be painful for application compatibility and Windows has a legacy of ensuring ease of use, but security cannot be left to chance.
It will be interesting to see how Microsoft's push of using SMB defaults will have an effect on truly making Windows safer to use in upcoming editions.
1 Comment - Add comment