deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

dates

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-09-06 13:42:08 -04:00
parent 4b67f4e84f
commit cbf739390b
27 changed files with 60 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/book/operating-system-security-network-security.md
View File

@ -2,7 +2,7 @@
title: Operating System security
description: Windows 11 security book - Operating System security chapter.
ms.topic: overview
ms.date: 04/09/2024
ms.date: 09/06/2024
---
# Network security
@ -129,24 +129,24 @@ Signing is now required by default for all SMB outbound and inbound connections.
SMB NTLM blocking: The SMB client now supports blocking NTLM authentication for remote outbound connections. Blocking NTLM authentication prevents bad actors from tricking clients into sending NTLM requests to malicious servers, counteracting brute force, cracking, and pass-the-hash attacks. NTLM blocking is also required for switching an organization's authentication protocols to Kerberos, which is more secure than NTLM because it can verify server identities with its ticket system. You can also allow exceptions to allow NTLM authentication over SMB to specific servers only.
SMB authentication rate limiter: The SMB authentication rate limiter is a feature of SMB server designed to address brute force authentication attacks. Bruce force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 password guess attempts - would now take 50 hours to complete, increasing the likelihood of detection and diminishing the likelihood of successful guessing.
SMB authentication rate limiter: The SMB authentication rate limiter is a feature of SMB server designed to address brute force authentication attacks. Bruce force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 password guess attempts - would now take 50 hours to complete, increasing the likelihood of detection and diminishing the likelihood of successful guessing.
SMB insecure guest auth now off by default in Windows Pro editions: SMB insecure guest auth now off by default in Windows Pro editions: Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years. Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000.
SMB over QUIC client access control: SMB over QUIC client access control enables you to restrict which clients can access SMB over QUIC servers. Client access control creates allow and blocklists for devices to connect to the file server. Client access control gives organizations more protection without changing the authentication used when making the SMB connection, nor does it alter the end user experience. SMB over QUIC is available in Windows Server 2022 Datacenter: Azure Edition and now also in Windows Server 2025 (all editions). The SMB over QUIC client can now also be completely disabled or configured only to allow connection to specific servers.
SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
SMB over QUIC client access control: SMB over QUIC client access control enables you to restrict which clients can access SMB over QUIC servers. Client access control creates allow and blocklists for devices to connect to the file server. Client access control gives organizations more protection without changing the authentication used when making the SMB connection, nor does it alter the end user experience. SMB over QUIC is available in Windows Server 2022 Datacenter: Azure Edition and now also in Windows Server 2025 (all editions). The SMB over QUIC client can now also be completely disabled or configured only to allow connection to specific servers.
SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
SMB dialect management: By default SMB server and client automatically negotiates the highest matched dialect from SMB 2.0.2 to 3.1.1. You can now specify the SMB protocols used, blocking older, less secure, versions from connecting to the server. For example, you can specify connection to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
SMB dialect management: By default SMB server and client automatically negotiates the highest matched dialect from SMB 2.0.2 to 3.1.1. You can now specify the SMB protocols used, blocking older, less secure, versions from connecting to the server. For example, you can specify connection to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
SMB client encryption mandate now supported: The SMB client now supports requiring encryption of all outbound SMB connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
SMB client encryption mandate now supported: The SMB client now supports requiring encryption of all outbound SMB connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
Remote Mailslots are now deprecated and disabled by default for SMB and DCLocator usage with Active Directory. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS.
Remote Mailslots are now deprecated and disabled by default for SMB and DCLocator usage with Active Directory. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS.
SMB alternative ports: You can use the SMB client to connect to alternative IANA/IETF TCP, QUIC, and RDMA ports than their defaults of 445, 5445, and 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers. In the case of Windows Server, only SMB over QUIC on Windows Server 2025 can be configured to listen on an alternative port.
SMB Firewall changes: The built-in firewall rules doesn't contain the SMB NetBIOS ports anymore.If you need to use an SMB1 server for legacy compatibility reasons, you must manually reconfigure the firewall to open those portsThis change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
SMB auditing improvements: SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.
SMB auditing improvements: SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.