Enhanced Windows 11 Security: Blocking NTLM Over SMB
Windows 11 has introduced a security enhancement allowing administrators to block NTLM over SMB. This move aims to counteract pass-the-hash, NTLM relay, and password-cracking assaults. Previously, when connecting to an SMB share remotely, Windows would use an NTLM challenge response, potentially exposing the hashed user password to the hosting server. These hashes are vulnerabilities, as they can be cracked or exploited in NTLM Relay and pass-the-hash attacks.
Microsoft's enhancement empowers administrators to prevent outbound NTLM over SMB, safeguarding the hashed password from transmission to remote servers. As Amanda Langowski and Brandon LeBlanc of Microsoft put it, attackers can't exploit NTLM data if it's never transmitted over the network. This feature removes the necessity to fully deactivate NTLM within the OS.
From Windows 11 Insider Preview Build 25951, administrators can block NTLM data transmission over SMB through Group Policy and PowerShell. They also have the option to entirely disable NTLM in SMB connections with NET USE and PowerShell. Ned Pyle, from Windows Server engineering, mentioned upcoming features that allow specific server connections supporting only NTLM.
Another feature in this build is SMB dialect management, letting admins block outdated, vulnerable Windows devices by disabling older SMB protocols. With Windows 11 Insider Preview Build 25381's release, SMB signing became a default requirement, bolstering defenses against NTLM relay attacks, where malicious entities hijack network devices to gain full domain control. SMB signing, existing since Windows 98 and 2000, authenticates sender-receiver communication via embedded signatures and has been enhanced in Windows 11 and Windows Server 2022 for better protection and faster encryption.
These security improvements are part of Microsoft's broader push to fortify Windows and Windows Server. Notably, in 2022, Microsoft started phasing out the aged SMB1 protocol in Windows 11 Home Insiders and later bolstered defenses against brute-force attacks by launching an SMB authentication rate limiter.
Loading Comments ...
Comments
No comments have been added for this post.
You must be logged in to make a comment.