Earlier today, Microsoft released the latest Windows 11 Canary Channel update for Insider Program members. The new 25381 build for Enterprise Editions now requires Server Message Block (SMB) signing for all connections.
In a blog postMicrosoft’s principal program manager, Ned Pyle, explained the reason for the move and also revealed that the change will roll out to Windows Server as well as further versions of Windows.
While both versions of Windows and Windows Server have supported SMB signing for a long time, Microsoft has been taking more recent steps to make it a bigger part of Windows security.
In March 2022, Microsoft added SMB authentication rate limiter As far as internal construction. This rate limiter sets a timeout limit of 2 seconds on each failed NTLM authentication attempt. In theory this should make it very difficult for hackers to make multiple sign-in attempts.
In January 2023, Microsoft said Windows 11 Pro would soon begin disabling insecure SMB guest authentication fallbacks. Today, Pyle said the new move to sign SMBs by default is “part of a drive to improve Windows and Windows Server security for the modern landscape.”
Expect this default change to sign on Pro, Education, and other editions of Windows, as well as Windows Server, over the next few months. Depending on how things go in Insiders, this will then start to appear in major releases.
Also, we shouldn’t expect SMB features in future versions of Windows, according to Pyle:
We will continue to push more secure SMB defaults and many new SMB security options in the coming years. I know they can be a pain for application compatibility and Windows has a legacy of ensuring ease of use, but security can’t be left to chance.
It will be interesting to see how Microsoft’s decision to use SMB defaults in future editions will affect Windows being truly secure.