Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security

1 year ago 65

Microsoft on Friday announced that SMB signing is now a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.

Also known as security signatures, SMB signing (Server Message Block signing) is a security mechanism where every SMB message contains a signature meant to confirm the identities of the sender and the receiver.

Available since Windows 98 and Windows 2000, SMB signing would block modified messages by checking the hash of the entire message, which the client puts into the signature field.

The security mechanism is meant to prevent relay attacks, but it has not been enabled by default in Windows 10 and Windows 11, except for connections to shares named SYSVOL and NETLOGON and if Active Directory (AD) domain controllers were set to require SMB signing for client connections.

All Windows and Windows Server versions support SMB signing, and the feature is now enabled by default for all connections, starting with Windows 11 insider preview build 25381 Enterprise editions, released in the Canary channel.

“This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape,” Microsoft explained. 

When attempting to connect to a remote share on a third-party SMB server that does not support SMB signing or which has disabled it, an error message will be displayed.

To resolve the issue, Microsoft recommends configuring the third-party SMB server to support SMB signing.

“Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties,” the tech giant notes.

As part of an NTLM relay attack, a threat actor forces AD domain controllers and other network devices to authenticate to attacker-controlled servers, which allows the attackers to impersonate the AD controllers to take over the entire domain.

Microsoft warns that the default SMB signing requirement may lead to performance issues and provides steps to mitigate that. The company also provides information on how SMB signing can be disabled on both clients and servers.

Related: Microsoft Makes Second Attempt to Patch Recent Outlook Zero-Day

Related: Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days

Related: NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability

Read Entire Article