Microsoft drops SMB1 firewall rules in new Windows 11 build

Home windows 11 will not add SMB1 Home windows Defender Firewall guidelines when creating new SMB shares beginning with at this time’s Canary Channel Insider Preview Construct 25992 construct.

Earlier than this transformation and since Home windows XP SP2, creating SMB shares arrange firewall guidelines mechanically inside the “File and Printer Sharing” group for the desired firewall profiles.

After at this time, Home windows 11 will configure the up to date “File and Printer Sharing (Restrictive)” group, omitting inbound NetBIOS ports 137-139 (that are SMB1 artifacts).

“This modification enforces the next diploma of default of community safety in addition to bringing SMB firewall guidelines nearer to the Home windows Server “File Server” function habits,” Microsoft’s Amanda Langowski and Brandon LeBlanc mentioned.

“Directors can nonetheless configure the “File and Printer Sharing” group if vital in addition to modify this new firewall group.”

“We plan future updates for this rule to additionally take away inbound ICMP, LLMNR, and Spooler Service ports and prohibit right down to the SMB sharing-necessary ports solely,” added Microsoft Principal Program Supervisor Ned Pyle in a separate weblog put up.

The SMB consumer now additionally permits connections with an SMB server by way of TCP, QUIC, or RDMA over customized community ports completely different from the hardcoded defaults—beforehand, SMB solely got here with help for TCP/445, QUIC/443, and RDMA iWARP/5445. 

​Making Home windows safer, one step at a time

These enhancements are a part of an in depth effort to strengthen Home windows and Home windows Server safety, as highlighted by different updates issued in current months. 

Following the introduction of Home windows 11 Insider Preview Construct 25982 within the Canary Channel, directors can now implement SMB consumer encryption for all outbound connections.

By requiring that every one vacation spot servers help SMB 3.x and encryption, Home windows directors can assure that every one connections are safe, thus mitigating the dangers of eavesdropping and interception assaults.

Admins can even configure Home windows 11 methods to block sending NTLM information over SMB mechanically on distant outbound connections to thwart pass-the-hash, NTLM relay, or password-cracking assaults, beginning with the Home windows 11 Insider Preview Construct 25951.

With the Home windows 11 Insider Preview Canary Construct 25381, Redmond additionally began requiring SMB signing (safety signatures) by default for all connections to defend in opposition to NTLM relay assaults.

Final 12 months, in April, Microsoft revealed the ultimate part of disabling the decades-old SMB1 file-sharing protocol for Home windows 11 House Insiders.

The corporate additionally strengthened defenses in opposition to brute-force assaults in September 2022 by introducing an SMB authentication fee limiter designed to mitigate the impression of unsuccessful inbound NTLM authentication makes an attempt.