The SMB server of Windows desktop and server provides files, among other things, after user authentication. Since attackers could try logins with user name and password combinations as often as they like and with maximum processing speed, Microsoft has activated a login rate limit with the current Windows 11 Insider preview version. This should massively slow down such brute force attacks.
Basically, the function called SMB authentication rate limiter was already included in the Windows 11 and Windows Server Insider preview versions in spring, explains Ned Pyle, manager in Microsoft’s Windows Server developer group, in a Techcommunity article. In the current Windows 11 Insider Preview Build 25206, the developers have now activated the function by default and provided a lock of two seconds after an unsuccessful login attempt.
Password crackable in hours or days
With a known username, attackers could send local or Active Directory NTLM logons using common open source tools to guess the password – dozens to hundreds of login attempts per second. If an organization doesn’t have intrusion detection software (IDS) or password blocking in place, attackers could crack a password in days or even hours. If a user disables the firewall and puts their device on an insecure network, they have a similar problem.
Pyle calculates that the forced pause of two seconds after an unsuccessful NTLM authentication means that an attacker who previously made 300 brute force attempts per second and thus tested 90,000 passwords in five minutes now has at least 50 hours for the same one number of tests required.
The Powershell command Get-SmbServerConfiguration displays the current configuration parameters of the SMB server. The function is called InvalidAuthenticationDelayTimeInMs and shows the delay time in milliseconds. The parameter can be set with the command Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs
You can use the Powershell command Get-SmbServerConfiguration to find out whether the NTLM authentication limit is active and with what delay.
The function is available in the Windows Server preview, but not yet active. First you want to wait and see whether problems or incompatibilities arise from the function. If everything goes well, the developers want to enable the function on other systems, Pyle explains. The changes also do not affect authentication using Kerberos, since this takes place before a connection is established, for example using the SMB protocol.
Pyle adds that this is part of the evolution of the next generation of SMB and security enhancements that came with SMB-over-QUIC in Windows 11 and Server 2022. Developers plan to harden, phase out, or even remove many SMB protocol behaviors in the next few major operating system releases, similar to removing SMB1, as part of a security modernization campaign.
To home page