Home windows 11 will now not add SMB1 Home windows Defender Firewall guidelines when creating new SMB shares beginning with immediately’s Canary Channel Insider Preview Construct 25992 construct.
Earlier than this transformation and since Home windows XP SP2, creating SMB shares arrange firewall guidelines routinely throughout the “File and Printer Sharing” group for the desired firewall profiles.
After immediately, Home windows 11 will configure the up to date “File and Printer Sharing (Restrictive)” group, omitting inbound NetBIOS ports 137-139 (that are SMB1 artifacts).
“This alteration enforces a better diploma of default of community safety in addition to bringing SMB firewall guidelines nearer to the Home windows Server “File Server” function conduct,” Microsoft’s Amanda Langowski and Brandon LeBlanc mentioned.
“Directors can nonetheless configure the “File and Printer Sharing” group if mandatory in addition to modify this new firewall group.”
“We plan future updates for this rule to additionally take away inbound ICMP, LLMNR, and Spooler Service ports and prohibit all the way down to the SMB sharing-necessary ports solely,” added Microsoft Principal Program Supervisor Ned Pyle in a separate weblog put up.
The SMB consumer now additionally permits connections with an SMB server through TCP, QUIC, or RDMA over customized community ports completely different from the hardcoded defaults—beforehand, SMB solely got here with help for TCP/445, QUIC/443, and RDMA iWARP/5445.
Making Home windows safer, one step at a time
These enhancements are a part of an in depth effort to strengthen Home windows and Home windows Server safety, as highlighted by different updates issued in latest months.
Following the introduction of Home windows 11 Insider Preview Construct 25982 within the Canary Channel, directors can now implement SMB consumer encryption for all outbound connections.
By requiring that each one vacation spot servers help SMB 3.x and encryption, Home windows directors can assure that each one connections are safe, thus mitigating the dangers of eavesdropping and interception assaults.
Admins may configure Home windows 11 methods to block sending NTLM information over SMB routinely on distant outbound connections to thwart pass-the-hash, NTLM relay, or password-cracking assaults, beginning with the Home windows 11 Insider Preview Construct 25951.
With the Home windows 11 Insider Preview Canary Construct 25381, Redmond additionally began requiring SMB signing (safety signatures) by default for all connections to defend towards NTLM relay assaults.
Final yr, in April, Microsoft revealed the ultimate section of disabling the decades-old SMB1 file-sharing protocol for Home windows 11 Dwelling Insiders.
The corporate additionally strengthened defenses towards brute-force assaults in September 2022 by introducing an SMB authentication fee limiter designed to mitigate the impression of unsuccessful inbound NTLM authentication makes an attempt.
