Microsoft Previews Delaying Brute-Force NTLM Logon Guesses in Windows Server
Microsoft this week announced a preview of its next Windows Server ("VNext") enhancements, which includes a new approach for deterring brute-force attempts to guess system passwords and gain network access.
This new approach is known as the "Server Message Block (SMB) Windows NT LAN Manager (NTLM) authentication rate limiter." The rate that this feature limits is the time period between attempts to guess passwords for NTLM logons. Microsoft is now previewing this capability in its newly released Windows Server Insider build 25075 for use by testers.
The idea behind the SMB authentication rate limiter is to frustrate attackers that use automated "dictionary" methods to guess NTLM logons. NTLM is an old challenge-and-response authentication protocol that's still supported for use with Windows system authentications, even though Microsoft recommends using Kerberos instead.
To invoke the SMB authentication rate limiter, IT pros use a PowerShell commandlet. It lets them specify the delay time between NTLM logon guesses in milliseconds. Microsoft has already specified a two-second default delay period (2,000 milliseconds) for Windows Insider program testers, affecting Windows 11 and Windows Server 2022 operating systems.
"Starting in Windows Insider build 25069.1000.220302-1408 and later on Windows 11 and Windows Server 2022, the SMB Server service now implements a default 2-second delay between each failed NTLM-based authentication," the announcement explained.
IT pros can set the delay time as they wish, but Microsoft is experimenting with the default two seconds. It wants to get feedback on the use of the SMB authentication rate limiter preview because it is "possible some third-party applications may have problems with this new feature." Microsoft also might alter the default delay time, based on the user feedback it gets.
Kerberos users can relax, as "this behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects," the announcement explained.
In essence, Microsoft is trying to make life difficult for brute-force password guessers with the SMB authentication rate limiter feature.
Attackers typically may use "common open source tools" to send NTLM logon tries at a rate of "hundreds of logon attempts per second," explained Ned Pyle, a principal program manager on the Windows Server engineering group, in this Microsoft Tech Community post (which includes a demo).
When 300 brute force password guess attempts per second are sent by an attacker over five minutes, it represents 90,000 password tries over a relatively short period of time. However, adding a default two-second delay period between those password tries would lengthen such an attack period to "25 hours at a minimum," Pyle explained. Such a delay may make Windows Server less attractive as a target.
Microsoft is planning to add the SMB authentication rate limiter feature to its next new Windows OS releases, both server and client, sometime this year, and the feature possibly could get backported to older Windows Server products, too, according to Pyle, in this Twitter post discussion. Here's how Pyle expressed it:
The feature [SMB authentication rate limiter] will come in the next major OS release of server and client, in the WS2022 Azure Edition annual update later this year, and likely as a backport into WS2022 and perhaps 2019. Will have to see how the preview goes first.
Pyle characterized the SMB authentication rate limiter feature as yet another SMB security enhancement that Microsoft has been making since the release of Windows 11 and Windows Server 2022. "Legacy" or older SMB behaviors are going to get addressed in future Windows OS releases, Pyle added.
We will change, deprecate, or remove many legacy SMB and pre-SMB protocol behaviors over the next few major releases of operating systems in a security modernization campaign, similar to the removal of SMB1. I will have a lot more to share over the coming year, stay tuned.
Microsoft's Windows Server Insider Programs
The Windows Server Insider program lets IT pros test and give feedback on features that may or may not arrive in a future Windows Server update releases. This build 25075 release is preview for the next server release, and not necessarily the current Windows Server 2022 product, Microsoft's announcement stressed.
"Branding has not yet been updated and remains as Windows Server 2022 in this preview -- when reporting issues please refer to "VNext" rather than Windows Server 2022 which is currently in market," the announcement explained.
Microsoft is planning to launch an Insider program specifically for Windows Server 2022 Datacenter Azure Edition users, followed by one for Azure Stack HCI Azure Edition users, Pyle noted, in this March 15 Tech Community post.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.