Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security

Microsoft is making SMB signing a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.

Microsoft on Friday announced that SMB signing is now a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.

Also known as security signatures, SMB signing (Server Message Block signing) is a security mechanism where every SMB message contains a signature meant to confirm the identities of the sender and the receiver.

Available since Windows 98 and Windows 2000, SMB signing would block modified messages by checking the hash of the entire message, which the client puts into the signature field.

The security mechanism is meant to prevent relay attacks, but it has not been enabled by default in Windows 10 and Windows 11, except for connections to shares named SYSVOL and NETLOGON and if Active Directory (AD) domain controllers were set to require SMB signing for client connections.

All Windows and Windows Server versions support SMB signing, and the feature is now enabled by default for all connections, starting with Windows 11 insider preview build 25381 Enterprise editions, released in the Canary channel.

“This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape,” Microsoft explained. 

When attempting to connect to a remote share on a third-party SMB server that does not support SMB signing or which has disabled it, an error message will be displayed.

To resolve the issue, Microsoft recommends configuring the third-party SMB server to support SMB signing.

Advertisement. Scroll to continue reading.

“Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties,” the tech giant notes.

As part of an NTLM relay attack, a threat actor forces AD domain controllers and other network devices to authenticate to attacker-controlled servers, which allows the attackers to impersonate the AD controllers to take over the entire domain.

Microsoft warns that the default SMB signing requirement may lead to performance issues and provides steps to mitigate that. The company also provides information on how SMB signing can be disabled on both clients and servers.

Related: Microsoft Makes Second Attempt to Patch Recent Outlook Zero-Day

Related: Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days

Related: NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.