November 8, 2023 at 02:57PM
Windows 11 is making security improvements by updating the Windows Defender Firewall rules for SMB shares. The changes include omitting inbound NetBIOS ports and allowing connections with SMB servers over custom network ports. Administrators can still configure and modify the firewall rules as needed. These updates aim to strengthen Windows and Windows Server security.
Meeting Summary:
In the meeting, it was discussed that Windows 11 will no longer add SMB1 Windows Defender Firewall rules when creating new SMB shares. This change is effective from today’s Canary Channel Insider Preview Build 25992. Previously, firewall rules were automatically set up when creating SMB shares, but now, Windows 11 will configure the updated “File and Printer Sharing (Restrictive)” group, omitting inbound NetBIOS ports 137-139.
The purpose of this change is to enhance network security and align SMB firewall rules with the behavior of the Windows Server “File Server” role. Administrators still have the option to configure the “File and Printer Sharing” group or modify the new firewall group.
It was mentioned that future updates will further restrict inbound ICMP, LLMNR, and Spooler Service ports, focusing only on the necessary SMB sharing ports.
Another improvement discussed was that the SMB client now allows connections with an SMB server via TCP, QUIC, or RDMA over custom network ports, in addition to the previously supported TCP/445, QUIC/443, and RDMA iWARP/5445.
These security enhancements are part of a broader effort to strengthen Windows and Windows Server security, which includes other updates that have been released recently.
Additional measures highlighted in the meeting include the enforcement of SMB client encryption for all outbound connections and the blocking of sending NTLM data over SMB on remote outbound connections to prevent pass-the-hash, NTLM relay, or password-cracking attacks.
Furthermore, SMB signing (security signatures) is now required by default for all connections to defend against NTLM relay attacks.
It was mentioned that in April of last year, the SMB1 file-sharing protocol was disabled for Windows 11 Home Insiders. Additionally, defenses against brute-force attacks were strengthened in September 2022 with the introduction of an SMB authentication rate limiter to mitigate the impact of unsuccessful inbound NTLM authentication attempts.