deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

SMB update

Browse Source
This commit is contained in:
Nilanjana Ganguly 2024-10-01 14:50:33 -07:00 committed by GitHub
parent 5ec2817761
commit 29a7e64da5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/book/operating-system-security-network-security.md
View File

@ -111,7 +111,7 @@ The Windows VPN platform has been tuned and hardened for cloud-based VPN provide
## Server Message Block file services
Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. In Windows 11, the SMB protocol has significant security updates to meet today's threats, including AES-256 encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks.
Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 24H2 adds far more security options, including required SMB signing by default, NTLM blocking, authentication rate limiting, and many others. Windows 11 24H2 is the state of the art for SMB security for organizations worldwide.
Signing is now required by default for all SMB outbound and inbound connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. Signing prevents data tampering and relay attacks to malicious servers.
@ -119,7 +119,7 @@ SMB NTLM blocking: The SMB client now supports blocking NTLM authentication for
SMB authentication rate limiter: The SMB authentication rate limiter is a feature of SMB server designed to address brute force authentication attacks. Bruce force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 password guess attempts - would now take 50 hours to complete, increasing the likelihood of detection and diminishing the likelihood of successful guessing.
SMB insecure guest auth now off by default in Windows Pro editions: SMB insecure guest auth now off by default in Windows Pro editions: Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years. Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000.
SMB insecure guest auth now off by default in Windows Pro editions: Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years. Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that fools a user into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000.
SMB over QUIC client access control: SMB over QUIC client access control enables you to restrict which clients can access SMB over QUIC servers. Client access control creates allow and blocklists for devices to connect to the file server. Client access control gives organizations more protection without changing the authentication used when making the SMB connection, nor does it alter the end user experience. SMB over QUIC is available in Windows Server 2022 Datacenter: Azure Edition and now also in Windows Server 2025 (all editions). The SMB over QUIC client can now also be completely disabled or configured only to allow connection to specific servers.
SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
@ -132,7 +132,7 @@ Remote Mailslots are now deprecated and disabled by default for SMB and DCLocato
SMB alternative ports: You can use the SMB client to connect to alternative IANA/IETF TCP, QUIC, and RDMA ports than their defaults of 445, 5445, and 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers. In the case of Windows Server, only SMB over QUIC on Windows Server 2025 can be configured to listen on an alternative port.
SMB Firewall changes: The built-in firewall rules doesn't contain the SMB NetBIOS ports anymore.If you need to use an SMB1 server for legacy compatibility reasons, you must manually reconfigure the firewall to open those portsThis change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
SMB Firewall changes: The built-in firewall rules doesn't contain the SMB NetBIOS ports anymore. If you need to use an SMB1 server for legacy compatibility reasons, you must manually reconfigure the firewall to open those ports. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
SMB auditing improvements: SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.