Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Here’s why SMB rate limiting in Windows 11 is important
3 min. read
Published onSeptember 26, 2022
published onSeptember 26, 2022
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Back in March, Microsoft released a new SMB preview feature, the Server Message Block (SMB) authentication rate limiter, through the Windows Server Insider build 25075, and coming to Windows Server Azure Edition Insider & Windows 11 Insider Dev Channel builds.
The Server Message Block (SMB) authentication rate limiter is in place to help shield users from brute force password attacks. Its server runs by default in all versions of Windows, though you will need to open the firewall to access it.
Most times, you will find that IT staff enable access to the SMB server service even on devices that are not file servers designated to meet important needs such as opening remote files. The problem with this is that it provides a platform for hackers to attempt authentication.
With just a username, the hacker can send local or Active Directory NTLM logons to a machine using common open-source tools, thus allowing them to guess the login credentials. Therefore, if your organization does not have intrusion detection software or a password lockout policy, you are more susceptible to compromise. The same also applies to users that disable their firewall and connect their devices to unsafe networks.
According toMicrosoft:
Starting inWindows Server Insider build 25075and later, the SMB server service now implements a 2-second delay between each failed NTLM or PKU2U-based authentication. This means if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take50 hoursat a minimum. The goal here is to make a machine a very unattractive target,a key aspect of defense-in-depth techniques.
And now, with the recent release ofWindows 11 Insider build 25206for the Dev Channel, the feature is on by default and set to 2 seconds. With this in place, any incorrect password or username sent to SMB will automatically lead to a 2 second delay by default in all Windows 11 Insiders editions. Previously, the feature was off by default, however, this does not affect Windows Server Insiders because it still defaults to 0.
It is also worth noting that this behavior change will not affect Kerberos, it will still be able to function as usual and make the authentication then later allow SMB to connect. It provides an extra layer of protection, moreso, for devices that are not linked to domains.
What are your thoughts on this tool and the purpose it serves? Let us know in the comment section below.
Radu Tyrsina
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).
For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.
Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Radu Tyrsina
