New Windows 11 Security Feature Protects Against Password Hackers
Microsoft rolls out a new security feature that should significantly slow down password attacks against Windows devices.The latest preview of Windows 11 ships with the SMB server authentication rate limiter on by default.
This makes Windows 11″a very unattractive target” for hackers trying to steal credentials, since it’s much more time-consuming for them to target the server with password-guessing attacks.
Microsoft security expert Ned Pyle states, “The SMB server service now defaults to a 2-second default between each failed inbound NTLM authentication.”SMB refers to the Server Message Block network file-sharing protocol.
This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum.
The rate limiter was previewed this March but is now the default on Windows 11.
Windows and Windows Server come with the SMB server enabled. NTLM refers to the NT Lan Manager (NTLM) protocol for client-sever authentication with, for example, Active Directory (AD) NTLM logons.
An attacker on a network can pose as a ‘friendly server’ to intercept NTLM credentials that are transmitted between client and server. Another option is using a known username and then guessing the password with multiple logon attempts.
Without the default rate limiter setting, an attacker could guess the password within days or hours, without being spotted.
The SMB default rate limiter setting is available in the Windows 11 Insider Preview Build 25206 to the Dev Channel. While the SMB server runs by default in Windows, it’s not accessible by default.
However, the SMB server rate limiter will serve a purpose because admins often make it accessible when creating a customer SMB share that opens the firewall.
The Windows Insider team notes, “Starting in Build 25206, it is on by default and set to 2000ms (2 seconds). Any bad usernames or passwords sent to SMB will now cause a 2 second delay by default in all editions of Windows Insiders. This behavior change was not made to Windows Server Insiders, it still defaults to 0.”
The new default should help in situations where users or admins configure machines and networks in a way that exposes them to password-guess attacks.
If your organization has no intrusion detection software or doesn’t set a password lockout policy, an attacker might guess a user’s password in a matter of days or hours. A consumer user who turns off their firewall and brings their device to an unsafe network has a similar problem.
Microsoft is gradually rolling out more secure defaults in Windows 11. Earlier this year, it introduced a default account lockout policy to mitigate RDP and other brute force password attacks.
In the Windows 11 2022 Update, Microsoft added several more security defaults, such as Smart App Control to only allow safe apps to run, and by default blocking PowerShell, LNK files, and Visual Basic scripts from the internet.
Pyle has also posted a demo of the SMB rate limiter in action.