Microsoft’s latest beta update to Windows 11 will allow Windows devices to require SMB logins to connect to prevent NTLM Relay attacks. But administrators need to be prepared for reduced network performance.
The latest Windows 11 Insider Preview Build Enterprise Edition 25381 was released to the Canary channel last week. Starting with this version, Windows servers or clients will require all connections to use SMB signing by default. SMB signature is also called security signature.
The SMB (Server Message Block) communication protocol is used for sharing files and printers, and managing network environments such as remote Windows machines. To prevent man-in-the-middle (MITM) attacks during SMB packet transmission, the SMB protocol can support SMB packet signature. Enabling SMB signature login can prevent attackers from pretending to be legitimate client computers or servers to intercept sessions (sessions) to obtain important user credentials to take over domains, or to implant malicious programs on network Windows clients, such as 2020 Zerologon or It’s the 2021 Windows NTLM exploit known as PetitPotam.
Prior to the latest announcement, administrators could configure (minimum SMBv2) Windows clients and servers whether to force external devices to log in with SMB credentials. Windows 10 or 11 originally defaulted to require SMB security login only when connecting to a network drive named Sysvol or Netlogon, and the AD domain controller for the computer to be connected.
All Windows clients and servers now support SMB Signed Login, but third-party servers or services may be disabled or not supported. If a user attempts to log in to a remote sharing service that does not allow SMB login, an error message will be received. Microsoft recommends that users should configure SMB server support for third-party sharing services instead of disabling SMB signature login on Windows, or using SMB1, which is no longer supported by Microsoft. Microsoft warns that devices that do not support SMB secure login can allow malicious actors to intercept messages or relay attacks.
However, enabling SMB signatures allows each SMB message to include a signature generated with a session key, which also degrades network performance. Microsoft recommends that administrators add physical or virtual CPU cores, or use faster, newer CPUs.
Although it is not recommended that users disable SMB signing on Windows clients and servers, Microsoft provides PowerShell commands to view SMB login settings and disable SMB security login requirements on Windows clients and servers.