Mary Hoffmann has announced the release of a new build of the next Windows Server Long-Term Servicing Channel (LTSC) preview with SMB NTLM Authentication Rate Limiter for testing. This Windows Server Preview will expire September 15, 2022.
Announcing Windows Server Preview Build 25075
Today we are pleased to release a new build of the next Windows Server Long-Term Servicing Channel (LTSC) Preview that contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions. Branding has not yet been updated and remains as Windows Server 2022 in this preview - when reporting issues please refer to "VNext" rather than Windows Server 2022 which is currently in market.
SMB NTLM Authentication Rate Limiter
SMB isn't just a file server running on tens of millions of Windows Server machines, it's a ubiquitous service on more than a billion Windows 10 and 11 computers. While not remotely accessible by default, and even though not all machines are dedicated file servers, IT staff often enable access to the SMB server for legitimate organizational reasons like file transfers. A side effect of this ubiquity is SMB can be a useful authentication mechanism for bad actors to attempt brute force dictionary attacks. After enumerating or guessing Active Directory or local account names through other means, an attacker can send NTLM logons to a machine at high rate - dozens to hundreds of attempts per second - in an attempt to guess their password. If an organization has no intrusion detection software or does not set a password lockout threshold, an attacker might guess a user's password in a matter of hours or less.
Starting in Windows Insider build 25069.1000.220302-1408 and later on Windows 11 and Windows Server 2022, the SMB Server service now implements a default 2-second delay between each failed NTLM-based authentication. This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes, the same number of attempts would now take 25 hours at a minimum. This setting is controllable by an administrator and can also be disabled. It's possible the default time and behaviors may change after we evaluate usage in Insiders and take feedback; it's also possible some third-party applications may have problems with this new feature - please use Feedback Hub to file bugs if you find that disabling the feature resolves your application's issue.
This feature is controlled with PowerShell cmdlet:Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
The value is in milliseconds, must be a multiple of 100 and can be 0-10000. Setting to 0 disables the feature.
To see the current value, run:Get-SmbServerConfiguration
This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects. It is designed to be another layer in your defense in depth planning. This continues the new generation of SMB and file server security enhancements first begun with SMB over QUIC in Windows 11 and Windows Server 2022. We will deprecate and remove many legacy SMB and pre-SMB protocol behaviors over the next few major releases of operating systems in a security modernization campaign similar to the removal of SMB1.
- Windows Server Long-Term Servicing Channel Preview in ISO format in 18 languages, and in VHDX format in English only.
- Microsoft Server Languages and Optional Features Preview
Azure Marketplace: When available, Insiders with Azure subscriptions may also test previews of server products in the Microsoft Server Operating Systems Preview in the Azure Marketplace.
Expiration: This Windows Server Preview will expire September 15, 2022.
How to Download
Registered Insiders may navigate directly to the Windows Server Insider Preview download page. If you have not yet registered as an Insider, see GETTING STARTED WITH SERVER on the Windows Insiders for Business portal.Announcing Windows Server Preview Build 25075