Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security

Microsoft is making SMB signing a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.

Microsoft on Friday announced that SMB signing is now a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.

Also known as security signatures, SMB signing (Server Message Block signing) is a security mechanism where every SMB message contains a signature meant to confirm the identities of the sender and the receiver.

Available since Windows 98 and Windows 2000, SMB signing would block modified messages by checking the hash of the entire message, which the client puts into the signature field.

The security mechanism is meant to prevent relay attacks, but it has not been enabled by default in Windows 10 and Windows 11, except for connections to shares named SYSVOL and NETLOGON and if Active Directory (AD) domain controllers were set to require SMB signing for client connections.

All Windows and Windows Server versions support SMB signing, and the feature is now enabled by default for all connections, starting with Windows 11 insider preview build 25381 Enterprise editions, released in the Canary channel.

“This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape,” Microsoft explained. 

Advertisement. Scroll to continue reading.

When attempting to connect to a remote share on a third-party SMB server that does not support SMB signing or which has disabled it, an error message will be displayed.

To resolve the issue, Microsoft recommends configuring the third-party SMB server to support SMB signing.

“Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties,” the tech giant notes.

As part of an NTLM relay attack, a threat actor forces AD domain controllers and other network devices to authenticate to attacker-controlled servers, which allows the attackers to impersonate the AD controllers to take over the entire domain.

Microsoft warns that the default SMB signing requirement may lead to performance issues and provides steps to mitigate that. The company also provides information on how SMB signing can be disabled on both clients and servers.

Related: Microsoft Makes Second Attempt to Patch Recent Outlook Zero-Day

Related: Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days

Related: NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.