Called SMB Authentication Rate Limiter, it is available in Windows 11 Insider and Windows Server Insider builds and makes it more time-consuming for cybercriminals to target the server with password guessing attacks.
“If your organization doesn’t have intrusion detection software or set up a password lockout policy, an attacker could guess a user’s password within days or hours. A mainstream user who disables their firewall and brings their device to an unsecured network has a similar problem,” said Microsoft security expert Ned Pyle.
The company said the SMB Server service now defaults to a default of two seconds between New Technology LAN Manager (NTLM) inbound authentication failures.
SMB refers to the Server Message Block (SMB) network file sharing protocol, while Windows NTLM is a suite of security protocols offered by Microsoft to authenticate the identity of users and protect the integrity and confidentiality of their activity.
“This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes (90,000 passwords), the same number of attempts would now take a minimum of 50 hours. The goal here is to make a machine a very unattractive target for attacking local credentials over SMB,” Pyle informed.
Discover the stories that interest you
SMB refers to the Server Message Block (SMB) network file sharing protocol. Windows and Windows Server come with SMB Server enabled. NTLM refers to the NT Lan Manager (NTLM) protocol for client-server authentication with, for example, Active Directory (AD) NTLM logins.
Microsoft is rolling out several secure defaults in Windows 11, including a default account lockout policy to mitigate RDP and other brute-force password attacks.
