SMB security hardening in Windows Server 2025 & Windows 11

hello everyone, Ned Here it is again, released by Microsoft in November of last year. Safe Future Initiative (SFI) prepares for the growing scale and risk of cyberattacks. SFI brings together all parts of Microsoft to advance cybersecurity protections across the company and across products.

Windows has focused on security options in each major release, and Windows 11 24H2 and Windows Server 2025 are no exception. It includes 12 new SMB features that make your data, users, and organization more secure, most of which are turned on by default. Today, we’ll explain the usefulness of these features, share a few demos, and provide additional details.

The new OS will be generally available soon and you can preview it right now. Download Windows Server 2025 and Windows 11 24H2.

Let’s move on to security.

SMB signing is required by default

What is it

All Windows 11 24H2 SMB outbound and inbound connections and all outbound connections on Windows Server 2025 now require signing by default. This changes the legacy behavior where SMB signing was required by default only when connecting to shares named SYSVOL and NETLOGON, and where Active Directory domain controllers required SMB signing for clients.

How it helps you

SMB signing has been available for decades and prevents data tampering and relay attacks that steal credentials. By requiring signing by default, it requires an administrator or user to opt in. out Instead of requiring expert knowledge of SMB network protocol security and having to turn on logins, you can use this secure configuration.

Learn more

Block SMB NTLM

What is it

The SMB client now supports blocking NTLM authentication for remote outbound connections. This changes the legacy behavior of always using negotiated authentication, which can downgrade from Kerberos to NTLM.

How it helps you

Blocking NTLM authentication prevents brute force, cracking, relaying, and pass-the-hash attacks by tricking clients into sending NTLM requests to malicious servers. Blocking NTLM is also necessary to enforce Kerberos authentication in your organization, which is more secure because it uses a ticketing system and better encryption to verify identity. Administrators can create exceptions to allow NTLM authentication over SMB to specific servers.

Learn more

SMB Authentication Rate Limiter

What is it

The SMB Server service now throttles failed authentication attempts by default. This applies to SMB shared files on both Windows Server and Windows.

How it helps you

Brute force authentication attacks bombard SMB servers with a series of username and password guesses, at rates ranging from tens to thousands of times per second. The SMB authentication rate limiter is enabled by default, with a two-second delay between each failed NTLM or local KDC Kerberos-based authentication attempt. For example, an attack that sends 300 guesses per second for 5 minutes (90,000 attempts) would now take 50 hours to complete. Attackers are much more likely to simply give up than to continue trying this method.

Learn more

SMB Insecure Guest Authentication is Disabled by Default in Windows Pro Edition

What is it

Windows 11 Pro no longer allows SMB client guest connections or guest fallback to SMB servers by default. This causes Windows 11 Pro to behave like Windows 10 and Windows 11 Enterprise, Education, and Pro for Workstation editions have for years.

How it helps you

Guest login does not require a password and does not support standard security features such as signing and encryption. Allowing a client to use guest login leaves the user vulnerable to man-in-the-middle attack scenarios or malicious server scenarios. For example, a phishing attack that tricks the user into opening a file on a remote share or a spoofed server that makes the client think it is legitimate. The attacker does not need to know the user’s credentials, and incorrect passwords are ignored. By default, only third-party remote devices may require guest access. Operating systems provided by Microsoft have not enabled guest in server scenarios since Windows 2000.

Learn more

SMB Dialect Management

What is it

You can now specify which SMB 2 and 3 protocol versions are used.

How it helps you

Previously, SMB servers and clients would only automatically negotiate the best matching dialect from SMB 2.0.2 to 3.1.1. This meant that you could intentionally block older protocol versions or devices from connecting. For example, you could specify that the connection would only use SMB 3.1.1, which is the most secure dialect of the protocol. The minimum and maximum values ​​can be set independently on both the SMB client and server, and you can set only the minimum value if you wish.

Learn more

SMB client encryption mandate is now supported.

What is it

SMB clients now support requiring encryption for all outbound SMB connections.

How it helps you

Encryption of all outbound SMB client connections enhances the highest level of network security and provides management parity with SMB Signing. When enabled, SMB clients will not connect to SMB servers that do not support SMB 3.0 or later or do not support SMB Encryption. For example, a third-party SMB server may support SMB 3.0 but not SMB Encryption. Unlike SMB Signing, encryption is not required by default.

Learn more

Remote mail slots are deprecated and disabled by default.

What is it

Remote Mailslots are deprecated and are disabled by default when using the SMB and DC Locator protocols in Active Directory.

How it helps you

The Remote Mailslot Protocol is an old, simple, and unreliable IPC method that was first introduced in MS DOS. It is not completely secure and has no authentication or authorization mechanism.

Learn more

SMB over QUIC on all editions of Windows Server

What is it

SMB over QUIC is now included in all editions of Windows Server 2025 (Datacenter, Standard, and Azure Editions), rather than just the Azure Edition in Windows Server 2022.

How it helps you

SMB over QUIC is an alternative to the legacy TCP protocol and is designed for use on untrusted networks such as the Internet. It uses TLS 1.3 and certificates to encrypt all SMB traffic and allows it to be used through edge firewalls for mobile and remote users without the need for a VPN. The user experience remains unchanged.

Learn more

SMB with QUIC Client Access Control

What is it

SMB over QUIC client access control allows you to restrict which clients can access an SMB over QUIC server. The legacy behavior allowed connection attempts from any client that trusted the QUIC server’s certificate issuance chain.

How it helps you

Client Access Control creates a list of devices that are allowed and blocked to connect to file servers. Clients now require their own certificates and must be in the allowed list to complete a QUIC connection before an SMB connection can occur. Client Access Control provides organizations with more protection without changing the authentication used to create SMB connections, and the user experience remains unchanged. You can also completely disable SMB over QUIC clients, or allow connections only to specific servers.

Learn more

SMB Alternate Port

What is it

The SMB client allows you to connect to alternate TCP, QUIC, and RDMA ports other than the IANA/IETF defaults of 445, 5445, and 443.

How it helps you

Windows Server allows you to host SMB over QUIC connections on allowed firewall ports other than 443. You can connect to an alternate port only if the SMB server is configured to support listening on that port. You can also configure your deployment to block alternate port configurations or specify that a port can only connect to specific servers.

Learn more

Change the SMB Firewall Default Port

What is it

Built-in firewall rules no longer include the SMB NetBIOS port.

How it helps you

NetBIOS ports were only required for SMB1 usage, and that protocol is deprecated and removed by default. This change brings SMB firewall rules more in line with the standard behavior of the Windows Server File Server role. Administrators can reconfigure the rules to restore the legacy ports.

Learn more

SMB Auditing Improvements

What is it

SMB now supports SMB usage auditing over QUIC, third-party support for encryption is missing, and third-party support for signing is missing. All of these features work at the SMB server and SMB client level.

How it helps you

It’s much easier to verify that Windows and Windows Server devices are making SMB over QUIC connections. It’s also much easier to verify that third parties support signing and encryption before telling them to use it.

Learn more

With the release of Windows Server 2025 and Windows 11 24H2, we’ve made the most significant changes to SMB security since the introduction of SMB 2 in Windows Vista. Deploying these operating systems fundamentally changes our security posture and reduces risk to this ubiquitous remote file and data fabric protocol used by organizations around the world.

For more information about changes in Windows Server 2025, visit: Windows Server Summit 2024 – March 26-28, 2024 | Microsoft Event. Check out dozens of presentations and demos of the latest features coming to the latest operating system this fall.

And remember, you can try all of these Right now: Preview Windows Server 2025 and Windows 11 24H2.

Until next time,

– Ned File