mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
Changed SMB improvements to table format
This commit is contained in:
Paolo Matarazzo
@ -13,7 +13,7 @@ Windows 11 raises the bar for network security, offering comprehensive protectio
|
||||
surface, network protection in Windows prevents people from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content.
|
||||
Using reputation-based services, network protection blocks access to potentially harmful, low-reputation domains and IP addresses.
|
||||
|
||||
New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, as well as new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall (previously called Windows Defender Firewall) platforms offer new ways to easily configure and debug software.
|
||||
New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, and new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall platforms offer new ways to easily configure and debug software.
|
||||
|
||||
In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
|
||||
|
||||
@ -23,7 +23,7 @@ In enterprise environments, network protection works best with Microsoft Defende
|
||||
|
||||
## Transport Layer Security (TLS)
|
||||
|
||||
Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 will provide more privacy and lower latencies for encrypted online connections. Note that if the client or server application on either side of the connection does not support TLS 1.3, the connection will fall back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
|
||||
Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -33,12 +33,12 @@ Transport Layer Security (TLS) is a popular security protocol, encrypting data i
|
||||
## Domain Name System (DNS) security
|
||||
|
||||
In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
|
||||
name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
|
||||
name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
|
||||
model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required.
|
||||
|
||||
Windows 11 provides Group Policy as well as programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
|
||||
Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
|
||||
|
||||
Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT) and the system Hosts file, as well as resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
|
||||
Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
|
||||
|
||||
## Bluetooth protection
|
||||
|
||||
@ -70,7 +70,7 @@ Opportunistic Wireless Encryption (OWE), a technology that allows wireless devic
|
||||
|
||||
## Windows Firewall
|
||||
|
||||
Windows Firewall with Advanced Security (previously called Windows Defender Firewall) is an important part of a layered security model. It provides host-based, two-way network traffic
|
||||
Windows Firewall with Advanced Security is an important part of a layered security model. It provides host-based, two-way network traffic
|
||||
filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to.
|
||||
|
||||
Windows Firewall in Windows 11 offers the following benefits:
|
||||
@ -78,14 +78,14 @@ Windows Firewall in Windows 11 offers the following benefits:
|
||||
- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses,
|
||||
ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
|
||||
- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data
|
||||
- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
|
||||
- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
|
||||
|
||||
Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior has been integrated with Packet Monitor (pktmon), an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
|
||||
Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
|
||||
|
||||
Admins can now configure additional settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, leveraging the platform
|
||||
Admins can now configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, using the platform
|
||||
support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
|
||||
|
||||
Firewall rule configuration with Package Family Name (PFN) is a new security feature introduced with the 22H2 release of Windows 11. PFN based rules enforced on an app will include processes request by the app to run on its behalf.
|
||||
Firewal. rule configuration with Package Family Name (PFN) is a new security feature introduced with the 22H2 release of Windows 11. PFN based rules enforced on an app will include processes request by the app to run on its behalf.
|
||||
Currently FW rules can be set on UWP apps with packageSID. However, the processes requested by the app can have different SID and hence the rules applied to the app can be bypassed. The new PFN condition feature ensures the FW rule is uniformly applied to a package and its associated processes.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
@ -98,13 +98,13 @@ Organizations have long relied on Windows to provide reliable, secured, and mana
|
||||
protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and
|
||||
consumer VPNs, including apps for the most popular enterprise VPN gateways.
|
||||
|
||||
In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and with one click, open Settings for more control.
|
||||
In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls.
|
||||
|
||||
The Windows VPN platform connects to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
|
||||
|
||||
With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
|
||||
|
||||
The Windows VPN platform has been tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
|
||||
The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
@ -112,30 +112,25 @@ The Windows VPN platform has been tuned and hardened for cloud-based VPN provide
|
||||
|
||||
## Server Message Block file services
|
||||
|
||||
Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 24H2 adds far more security options, including required SMB signing by default, NTLM blocking, authentication rate limiting, and many others. Windows 11 24H2 is the state of the art for SMB security for organizations worldwide.
|
||||
Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes.
|
||||
|
||||
Signing is now required by default for all SMB outbound and inbound connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. Signing prevents data tampering and relay attacks to malicious servers.
|
||||
Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11, version 24H2, adds far more security options, including required SMB signing by default, NTLM blocking, authentication rate limiting, and many others. Windows 11 24H2 is the state of the art for SMB security for organizations worldwide.
|
||||
|
||||
SMB NTLM blocking: The SMB client now supports blocking NTLM authentication for remote outbound connections. Blocking NTLM authentication prevents bad actors from tricking clients into sending NTLM requests to malicious servers, counteracting brute force, cracking, and pass-the-hash attacks. NTLM blocking is also required for switching an organization's authentication protocols to Kerberos, which is more secure than NTLM because it can verify server identities with its ticket system. You can also allow exceptions to allow NTLM authentication over SMB to specific servers only.
|
||||
The following table details SMB file services improvements in Windows 11, version 24H2.
|
||||
|
||||
SMB authentication rate limiter: The SMB authentication rate limiter is a feature of SMB server designed to address brute force authentication attacks. Bruce force authentication attacks bombard the SMB server with multiple username and password-guesses and the frequency can range from dozens to thousands of attempts per second. The SMB authentication rate limiter is enabled by default with a 2 second delay between each failed NTLM or Local KDC Kerberos-based authentication attempt. An attack that sends 300 guesses per second for 5 minutes, for example - 90,000 password guess attempts - would now take 50 hours to complete, increasing the likelihood of detection and diminishing the likelihood of successful guessing.
|
||||
|
||||
SMB insecure guest auth now off by default in Windows Pro editions: Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operate like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years. Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that fools a user into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000.
|
||||
|
||||
SMB over QUIC client access control: SMB over QUIC client access control enables you to restrict which clients can access SMB over QUIC servers. Client access control creates allow and blocklists for devices to connect to the file server. Client access control gives organizations more protection without changing the authentication used when making the SMB connection, nor does it alter the end user experience. SMB over QUIC is available in Windows Server 2022 Datacenter: Azure Edition and now also in Windows Server 2025 (all editions). The SMB over QUIC client can now also be completely disabled or configured only to allow connection to specific servers.
|
||||
SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
|
||||
|
||||
SMB dialect management: By default SMB server and client automatically negotiates the highest matched dialect from SMB 2.0.2 to 3.1.1. You can now specify the SMB protocols used, blocking older, less secure, versions from connecting to the server. For example, you can specify connection to only use SMB 3.1.1, the most secure dialect of the protocol. The minimum and maximum can be set independently on both the SMB client and server, and you can set just a minimum if desired.
|
||||
|
||||
SMB client encryption mandate now supported: The SMB client now supports requiring encryption of all outbound SMB connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. When enabled, the SMB client won't connect to an SMB server that doesn't support SMB 3.0 or later, or that doesn't support SMB encryption. For example, a third-party SMB server might support SMB 3.0 but not SMB encryption. Unlike SMB signing, encryption is not required by default.
|
||||
|
||||
Remote Mailslots are now deprecated and disabled by default for SMB and DCLocator usage with Active Directory. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS.
|
||||
|
||||
SMB alternative ports: You can use the SMB client to connect to alternative IANA/IETF TCP, QUIC, and RDMA ports than their defaults of 445, 5445, and 443. You can only connect to alternative ports if the SMB server is configured to support listening on that port. You can also configure your deployment to block configuring alternative ports or specify that ports can only connect to certain servers. In the case of Windows Server, only SMB over QUIC on Windows Server 2025 can be configured to listen on an alternative port.
|
||||
|
||||
SMB Firewall changes: The built-in firewall rules doesn't contain the SMB NetBIOS ports anymore. If you need to use an SMB1 server for legacy compatibility reasons, you must manually reconfigure the firewall to open those ports. This change brings SMB firewall rules more in line with the standard behavior for the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.
|
||||
|
||||
SMB auditing improvements: SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.
|
||||
|Area|Details|
|
||||
|-|-|
|
||||
|**Signing**|Signing prevents data tampering and relay attacks to malicious servers.<br><br>Signing is now required by default for all SMB outbound and inbound connections.|
|
||||
|**NTLM blocking**|Blocking NTLM authentication prevents bad actors from tricking clients into sending NTLM requests to malicious servers, counteracting brute force, cracking, and pass-the-hash attacks.<br><br>The SMB client now supports blocking NTLM authentication for remote outbound connections.|
|
||||
|**Authentication rate limiter**|The SMB server now throttles brute force authentication attacks with a rate limiter. These attacks bombard the SMB server with multiple usernames and password-guesses and the frequency can range from dozens to thousands of attempts per second.|
|
||||
|**Guest authentication**|Windows 11 Pro no longer allows SMB client guest connections or guest fallback to an SMB server by default. This makes Windows 11 Pro operating like Windows Enterprise, Education, and Pro for Workstation editions. Guest logons don't require passwords and don't support standard security features like signing and encryption.|
|
||||
|**SMB over QUIC client access control**| SMB over QUIC client access control restricts which clients can access servers.<br><br>These allow and blocklists for devices to connect to the file server and gives organizations more protection without altering the end user experience. <br><br>**Note:** SMB over QUIC is available in Windows Server 2022 Datacenter: Azure Edition and on all editions of Windows Server 2025.|
|
||||
|**Protocols management**|You can now specify the SMB protocols used, blocking older, less secure, versions from connecting to the server. For example, you can specify connection to only use SMB 3.1.1, the most secure dialect of the protocol.|
|
||||
|**Encryption**|SMB encryption provides end-to-end encryption of SMB data, protecting it from eavesdropping occurrences on internal networks.<br><br>The SMB client now supports requiring encryption of all outbound SMB connections. Encryption of all outbound SMB client connections enforces the highest level of network security. Unlike SMB signing, encryption isn't required by default.|
|
||||
|**Remote Mailslots deprecation**|Remote Mailslots are now deprecated and disabled by default for SMB and DCLocator usage with Active Directory. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS.|
|
||||
|**Alternative ports**|You can now connect to SMB using alternative TCP, QUIC, and RDMA ports. In Windows Server 2025, you can configure SMB over QUIC to listen on an alternative port.|
|
||||
|**Firewall changes**|The built-in firewall rules doesn't contain the SMB NetBIOS ports anymore, increasing the security of SMB and Windows.|
|
||||
|**Auditing improvements**| SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing.|
|
||||
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
|
||||
@ -106,8 +106,6 @@ All auditing categories are disabled when Windows is first installed. Before ena
|
||||
- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
|
||||
- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
|
||||
|
||||
|
||||
|
||||
## Windows security settings
|
||||
|
||||
Visibility and awareness of device security and health are key to any action taken. The Windows built-in security settings provide an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
|
||||
@ -147,10 +145,8 @@ Enabling Windows protected print mode is highly recommended.
|
||||
|
||||
The benefits of Windows protected print mode include:
|
||||
|
||||
- Increased PC security.
|
||||
|
||||
- Simplified and consistent printing experience, regardless of PC architecture.
|
||||
|
||||
- Increased PC security
|
||||
- Simplified and consistent printing experience, regardless of PC architecture
|
||||
- Removes the need to manage print drivers
|
||||
|
||||
Windows protected print mode is designed to work with Mopria certified printers only. Many existing printers are already compatible.
|
||||
@ -158,5 +154,4 @@ Windows protected print mode is designed to work with Mopria certified printers
|
||||
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
|
||||
|
||||
- [Windows protected print mode] (/windows-hardware/drivers/print/windows-protected-print-mode)
|
||||
|
||||
- [A new, modern, and secure print experience from Windows](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645)
|
||||
Reference in New Issue
Block a user