Microsoft makes signing mandatory on SMB with Windows 11 Canary build 25381.

[ad_1]

Inside Windows 11 Preview is written next to Virtual Laptop running Windows 11.

Microsoft today released the latest Windows 11 build to Insiders on the Canary channel. The new build 25381 introduces a major change in SMB (Server Message Block) signing. Previously SMB signing was not mandatory but with the latest builds, Windows 11, Windows 10 and Server will require SMB signing by default. Microsoft says this change is made to improve security.

Below is the changelog for build 25381.

What’s New in Build 25381

Change in SMB signing requirement

Starting with Windows 11 Insider Preview Build 25381 Enterprise Edition, SMB signing is now required by default for all connections. This replaces legacy behavior, where Windows 10 and 11 default to SMB signing only when connected to named shares. SYSVOL and NETLOGON And where is Active Directory? Domain Controllers SMB requires a signature when a client connects to them. This is part of a drive to improve Windows and Windows Server security for the modern landscape.

All versions of Windows and Windows Server support SMB signing. But a third party may disable it or not support it. If you try to connect to a remote share on a third-party SMB server that does not allow SMB signing, you may receive one of the following error messages:

  • 0xc000a000
  • -1073700864
  • STATUS_INVALID_SIGNATURE
  • The cryptographic signature is invalid.

To resolve this issue, configure your third-party SMB server to support SMB signing. This is Microsoft’s official recommended guidance. Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties.

SMB signing can reduce the performance of SMB copy operations. You can reduce this with more physical CPU cores or virtual CPUs, as well as newer, faster CPUs.

To view the current SMB signing settings, run the following PowerShell commands:

Get-SmbServerConfiguration | fl requiresecuritysignature

Get-SmbClientConfiguration | fl requiresecuritysignature

To disable the SMB sign-in client (outbound to another device) connection requirement, run the following PowerShell command as an elevated administrator:

Set-SmbClientConfiguration -RequireSecuritySignature $false

To disable the SMB sign-in server requirement (on Windows 11 Insider Preview Build 25381 and higher Enterprise Edition devices), run the following PowerShell command as an elevated administrator:

set-SmbServerConfiguration -RequireSecuritySignature $false

No reboot is required but existing SMB connections will use signing until they are closed.

For more information about this change, see https://aka.ms/SMBSigningOBD.

Changes and improvements

[General]

  • If a camera streaming problem is detected such as the camera failing to start or a closed camera shutter, a pop-up dialog will appear with a recommendation to start the automatic GetHelp troubleshooter to fix the problem.

You can find the official blog post. Here.



[ad_2]

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

x