Security News > 2023 > September > New Windows 11 feature blocks NTLM-based attacks over SMB
Microsoft added a new security feature to Windows 11 that lets admins block NTLM over SMB to prevent pass-the-hash, NTLM relay, or password-cracking attacks.
This will modify the legacy approach where Kerberos and NTLM authentication negotiations with destination servers would be powered by Windows SPNEGO. When connecting to a remote SMB share, Windows will try to negotiate authentication with the remote computer by performing an NTLM challenge response.
Starting with Windows 11 Insider Preview Build 25951, admins can configure Windows to block sending NTLM data over SMB on remote outbound connections using Group Policy and PowerShell.
"A later Windows Insider release will allow administrators to control SMB NTLM blocking to specific servers with an allow list," added Ned Pyle, Principal Program Manager in the Windows Server engineering group, in a separate blog post.
With the release of Windows 11 Insider Preview Build 25381 to the Canary Channel, Redmond also started requiring SMB signing by default for all connections to defend against NTLM relay attacks.
It has been available starting with Windows 98 and 2000, and it has been updated in Windows 11 and Windows Server 2022 to improve protection and performance by significantly accelerating data encryption speeds.
News URL
Related news
- Windows Update downgrade attack "unpatches" fully-updated systems (source)
- “Perfect” Windows downgrade attack turns fixed vulnerabilities into zero-days (source)
- Windows Downgrade Attack Risks Exposing Patched Systems to Old Vulnerabilities (source)
- PEAKLIGHT Downloader Deployed in Attacks Targeting Windows with Malicious Movie Downloads (source)
- Novel attack on Windows spotted in phishing campaign run from and targeting China (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)
- CISA warns of Windows flaw used in infostealer malware attacks (source)