As part of the Windows 11 preview, Microsoft is enabling a new feature of the SMB server. A time limit after login failure is intended to prevent brute force attacks.
The SMB server of Windows desktop and server provides files, among other things, after user authentication. Since attackers could try logins with user name and password combinations as often as they like and with maximum processing speed, Microsoft has activated a login rate limit with the current Windows 11 Insider preview version. This should massively slow down such brute force attacks.
Basically, the SMB authentication rate limiter This function was already included in the Windows 11 and Windows Server Insider preview versions in spring, explains Ned Pyle, manager in Microsoft’s Windows Server developer group, in a Techcommunity article. In the current Windows 11 Insider Preview Build 25206, the developers have now activated the function by default and provided a lock of two seconds after an unsuccessful login attempt.
Password crackable in hours or days
With a known username, attackers could send local or Active Directory NTLM logons using common open source tools to guess the password – dozens to hundreds of login attempts per second. If an organization doesn’t have intrusion detection software (IDS) or password blocking in place, attackers could crack a password in days or even hours. If a user disables the firewall and brings his device into an insecure network, he has a similar problem.
Pyle calculates that the forced pause of two seconds after an unsuccessful NTLM authentication means that an attacker who previously made 300 brute force attempts per second and thus tested 90,000 passwords in five minutes now has at least 50 hours for the same one number of tests required.
The Powershell command Get-SmbServerConfiguration Displays the current configuration parameters of the SMB server. The function is called there InvalidAuthenticationDelayTimeInMs and displays the delay time in milliseconds. The parameter can be changed with the command Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs <ms> where is the number of milliseconds and must be a multiple of 100.
The function is available in the Windows Server preview, but not yet active. First you want to wait and see whether problems or incompatibilities arise from the function. If everything goes well, the developers want to enable the function on other systems, Pyle explains. The changes also do not affect authentication using Kerberos, since this takes place before a connection is established, for example using the SMB protocol.
Pyle adds that this is part of the evolution of the next generation of SMB and security enhancements that came with SMB-over-QUIC in Windows 11 and Server 2022. Developers plan to harden, phase out, or even remove many SMB protocol behaviors in the next few major operating system releases, similar to removing SMB1, as part of a security modernization campaign.
