Back in March, Microsoft released a new SMB preview feature, the Server Message Block (SMB) authentication rate limiter, through the Windows Server Insider build 25075, and coming to Windows Server Azure Edition Insider & Windows 11 Insider Dev Channel builds.
The Server Message Block (SMB) authentication rate limiter is in place to help shield users from brute force password attacks. Its server runs by default in all versions of Windows, though you will need to open the firewall to access it.
Most times, you will find that IT staff enable access to the SMB server service even on devices that are not file servers designated to meet important needs such as opening remote files. The problem with this is that it provides a platform for hackers to attempt authentication.
With just a username, the hacker can send local or Active Directory NTLM logons to a machine using common open-source tools, thus allowing them to guess the login credentials. Therefore, if your organization does not have intrusion detection software or a password lockout policy, you are more susceptible to compromise. The same also applies to users that disable their firewall and connect their devices to unsafe networks.
According to Microsoft:
Starting in Windows Server Insider build 25075 and later, the SMB server service now implements a 2-second delay between each failed NTLM or PKU2U-based authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take 50 hours at a minimum. The goal here is to make a machine a very unattractive target, a key aspect of defense-in-depth techniques.
And now, with the recent release of Windows 11 Insider build 25206 for the Dev Channel, the feature is on by default and set to 2 seconds. With this in place, any incorrect password or username sent to SMB will automatically lead to a 2 second delay by default in all Windows 11 Insiders editions. Previously, the feature was off by default, however, this does not affect Windows Server Insiders because it still defaults to 0.
It is also worth noting that this behavior change will not affect Kerberos, it will still be able to function as usual and make the authentication then later allow SMB to connect. It provides an extra layer of protection, moreso, for devices that are not linked to domains.
What are your thoughts on this tool and the purpose it serves? Let us know in the comment section below.
