Microsoft Adds SMB Security Controls for Windows Insider Program Testers
IT pros can test removing SMB NTLM and other security measures.
Microsoft has added Server Message Block (SMB) security measures for IT pros, which are now available as part of an early Windows preview release, via the Windows Insider test program.
Two new SMB security capabilities were announced this week by Ned Pyle, a principal program manager for Microsoft's core OS engineering group. One of the capabilities will permit IT pros to block the SMB NTLM (Windows New Technology LAN Manager) protocol from being used in outbound connections, as described here. The other SMB security capability offers the option to select SMB "dialects" (e.g., SMB 2 or SMB 3) for Windows servers, as described in this post.
Both SMB security capabilities are part of a Windows "Canary" Channel preview release, which is Microsoft's early test-release venue. They are part of Windows Insider preview build 25951, which was announced this week.
SMB NTLM Blocking
SMB NTLM blocking can be configured using Group Policy and PowerShell. It'll result in using Kerberos authentication instead. Here's how Pyle characterized it:
Connecting to Active Directory domain-joined computers with SMB while using a domain user account should always result in Kerberos authentication. Blocking NTLM should have no consequences to connectivity in this case.
Microsoft has advocated using Kerberos instead of NTLM for a couple of decades, per this Microsoft document:
The Kerberos protocol was promoted in Windows Server 2003 and Windows XP as a stronger authentication protocol using mutual authentication instead of the challenge/response method of NTLM.
NTLM has a bunch of issues, such as "no server authentication," "weaker cryptography" and "slower performance" vs. Kerberos, the document indicated. NTLM is still supported though, and "must be used for Windows authentication with systems configured as a member of a workgroup." The document also explained that "NTLM authentication is also used for local logon authentication on non-domain controllers." Non-Microsoft applications, and some Microsoft applications, "still might use NTLM," it added.
Pyle offered troubleshooting tips for any problems encountered after blocking SMB NTLM. The blocking option is being made available as part of Microsoft's general campaign to improve Windows security. Another capability to come will "allow administrators to control SMB NTLM blocking to specific servers with an allow list," he added.
SMB Dialect Management
The other Canary channel SMB security feature lets IT pros specify which SMB dialect gets used for servers, such as always using SMB 3.
Pyle noted that this setting option "changes legacy behavior, where Windows SMB server always negotiated the highest matched server dialect from SMB 2.0.2 to 3.1.1 clients." SMB 3.1.1 is deemed to be the "most secure dialect," according to Pyle, although an attack venue exploiting a particular vulnerability had been noted by the U.S. Cybersecurity and Infrastructure Security Agency about three years ago.
The ability to select the SMB dialect for Windows clients was already available. It's been available since the release of Windows 10, Pyle noted. The ability to set it for Windows servers is a new addition.
Pyle is Microsoft's most prominent spokesperson on all things SMB, and raised alarms about the SMB 1 protocol back in 2017, which was exploited worldwide by "wormable" wiper malware dubbed "WannaCry" (NotPetya). Microsoft has been gradually removing SMB 1 from Windows since that time. It's been a slow removal, though, as Microsoft chronicled last year.
Other Windows Insider Releases
Another Windows 11 Insider release this week (build 22621.2338 and 22631.2338), this time for Beta Channel testers, adds a "new Focus Session widget as part of a Clock app." It also changes Chat to Teams Free. Additionally, users can disable some apps in this build, such as Phone Link, and they can uninstall the Camera, Cortana and People apps. The Beta Channel typically offers features closer to what might be expected in Microsoft's final product releases.
Microsoft also released Windows 11 preview build 23545 to Windows Insider program Dev Channel testers. It's a channel that includes features that "may never get released." This release shows options when a user hovers over the Task Bar's search box. It also provides "a more friendly name" for devices when sharing content.
Microsoft also published two separate announcement this week regarding Canary and Dev Channel Windows releases, which presumably are part of the same builds described above. There's a new background blur option in the Windows Photos app. Microsoft also added the ability to quickly search for OneDrive-stored photos, as described in this announcement.
Also, Microsoft's Snipping Tool is getting the ability to copy text in screenshots. Additionally, the Phone Link app will work with Snipping Tool to edit Android device photos, per this announcement.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.