October 25, 2023 at 02:41PM
Windows 11 Insider Preview Build 25982 introduces the capability for admins to mandate SMB client encryption for all outbound connections. This ensures data end-to-end encryption and defense against eavesdropping and interception attacks. Windows admins can configure the SMB client to always require encryption using PowerShell or group policy. Additionally, Windows 11 incorporates SMB signing and blocks sending NTLM data over SMB on remote outbound connections to enhance security. These improvements are part of Microsoft’s broader effort to strengthen the security of Windows and Windows Server.
The meeting notes discuss several security enhancements related to SMB (Server Message Block) encryption in Windows 11. Here are the key points:
1. Windows 11 now allows admins to mandate SMB client encryption for all outbound connections. This ensures data end-to-end encryption and helps defend against eavesdropping and interception attacks.
2. SMB encryption can be enabled on a per-share basis for the entire file server or when mapping drives using Windows Admin Center, Windows PowerShell, or UNC Hardening.
3. This capability was first introduced with SMB 3.0 in Windows 8 and Windows Server 2012. Windows 11 and Windows Server 2022 added support for AES-256-GCM cryptographic suites.
4. The SMB client can be configured to always require encryption, regardless of the server, share, UNC hardening, or mapped drive requirements. This can be done through PowerShell or the ‘Require encryption’ group policy.
5. Windows 11 can automatically block sending NTLM (NT LAN Manager) data over SMB on remote outbound connections to defend against pass-the-hash, NTLM relay, or password-cracking attacks.
6. SMB signing is now required by default for all connections in Windows 11 and Windows Server 2022. SMB signing enhances protection and performance by increasing data encryption speeds.
7. SMB encryption supersedes SMB signing and provides the same level of tamper protection. Requiring both is unnecessary because encryption takes precedence.
These security improvements are part of Microsoft’s ongoing efforts to strengthen the security of Windows and Windows Server, and they build upon previous enhancements such as disabling the SMB1 protocol and introducing an SMB authentication rate limiter to mitigate brute-force attacks.