Security News > 2023 > September > New Windows 11 feature blocks NTLM-based attacks over SMB
Microsoft added a new security feature to Windows 11 that lets admins block NTLM over SMB to prevent pass-the-hash, NTLM relay, or password-cracking attacks.
This will modify the legacy approach where Kerberos and NTLM authentication negotiations with destination servers would be powered by Windows SPNEGO. When connecting to a remote SMB share, Windows will try to negotiate authentication with the remote computer by performing an NTLM challenge response.
Starting with Windows 11 Insider Preview Build 25951, admins can configure Windows to block sending NTLM data over SMB on remote outbound connections using Group Policy and PowerShell.
"A later Windows Insider release will allow administrators to control SMB NTLM blocking to specific servers with an allow list," added Ned Pyle, Principal Program Manager in the Windows Server engineering group, in a separate blog post.
With the release of Windows 11 Insider Preview Build 25381 to the Canary Channel, Redmond also started requiring SMB signing by default for all connections to defend against NTLM relay attacks.
It has been available starting with Windows 98 and 2000, and it has been updated in Windows 11 and Windows Server 2022 to improve protection and performance by significantly accelerating data encryption speeds.
News URL
Related news
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Windows Themes zero-day bug exposes users to NTLM credential theft (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)