Windows 11 to let admins mandate SMB encryption for outbound connections

Trending 1 month ago

Windows 11

Windows 11 will fto admins mandate SMB customer encryption for each outbound connections, starting pinch today's Windows 11 Insider Preview Build 25982 rolling retired to Insiders successful nan Canary Channel.

SMB encryption provides information end-to-end encryption and tin beryllium enabled connected a per-share ground for nan full record server aliases erstwhile mapping drives using Windows Admin Center, Windows PowerShell, aliases UNC Hardening.

This capacity was first included pinch SMB 3.0 connected Windows 8 and Windows Server 2012, and it introduced support for AES-256-GCM cryptographic suites pinch Windows 11 and Windows Server 2022. 

By requiring that each destination servers support SMB 3.x and encryption, Windows admins tin guarantee that nan clients tin only found a relationship if these conditions are met to take sides against eavesdropping and interception attacks.

"You tin now besides configure nan SMB customer to ever require encryption, nary matter what nan server, share, UNC hardening, aliases a mapped thrust requires," said Microsoft Principal Program Manager Ned Pyle.

"This intends an administrator tin globally unit a Windows instrumentality to usage SMB encryption – and truthful SMB 3.x – connected each connections and garbage to link if nan SMB server does not support either."

The caller action tin beryllium configured utilizing PowerShell aliases nan 'Require encryption' group argumentation nether Computer Configuration \ Administrative Templates \ Network \ Lanman Workstation.

Windows 11 require encryption group policyWindows 11 'Require encryption' group argumentation (Microsoft)

​Starting pinch Windows 11 Insider Preview Build 25951, admins tin configure Windows systems to automatically artifact sending NTLM information complete SMB connected distant outbound connections to fend disconnected pass-the-hash, NTLM relay, aliases password-cracking attacks.

When toggled on, it prevents nan user's hashed password from being sent to distant servers, efficaciously thwarting these attacks.

With nan merchandise of Windows 11 Insider Preview Build 25381 to nan Canary Channel, Microsoft also began requiring SMB signing (aka information signatures) by default for each connections to take sides against NTLM relay attacks.

SMB signing, introduced successful Windows 98 and 2000, has been updated successful Windows 11 and Windows Server 2022 to heighten protection and capacity by importantly expanding information encryption speeds.

"SMB encryption has capacity overhead and compatibility overhead, and you should equilibrium that against SMB signing - which has amended capacity and tamper protection but nary snooping protection – aliases against nary usage of encryption aliases signing astatine all, which has champion capacity but nary security," Pyle said.

"SMB encryption supersedes SMB signing and supplies nan aforesaid level of tamper protection, meaning that if your SMC customer requires signing, SMB encryption turns it off; location is nary constituent requiring some because encryption wins."

These improvements are portion of a broader effort to bolster nan information of Windows and Windows Server, arsenic underscored by earlier announcements from past year.

In April 2022, Microsoft marked a milestone by revealing nan last shape of disabling the decades-old SMB1 file-sharing protocol for Windows 11 Home Insiders.

Building connected this progress, nan institution also strengthened defenses against brute-force attacks by introducing an SMB authentication complaint limiter, which mitigates nan effect of unsuccessful inbound NTLM authentication attempts.