Microsoft has announced the release of Windows 11 Insider Preview Build 25381 to the Canary Channel. This update brings significant improvements to the security of Windows and Windows Server, particularly regarding Server Message Block (SMB) signing.
With SMB signing now required by default for all connections in the Enterprise editions, Microsoft aims to enhance the security posture of its operating systems in the modern landscape.
SMB signing is a security feature that helps prevent unauthorized tampering or interception of data transferred between devices using the SMB protocol. It ensures the integrity and authenticity of data by appending a digital signature to SMB packets.
By requiring SMB signing by default for all connections, Microsoft is taking a proactive approach to safeguarding sensitive information and protecting users from potential interception and relay attacks.
Previously, Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON, and when Active Directory domain controllers required SMB signing for client connections. With Build 25381, this behavior has changed, and SMB signing is now mandatory for all connections in Windows 11 Enterprise editions.
This update aligns with Microsoft's ongoing efforts to improve security in Windows and Windows Server.
While all versions of Windows and Windows Server support SMB signing, there may be cases where a third-party SMB server disables or does not support this feature. When attempting to connect to a remote share on such servers, users may encounter error messages such as "0xc000a000", "-1073700864", or "STATUS_INVALID_SIGNATURE".
To resolve this issue, Microsoft strongly recommends configuring the third-party SMB server to support SMB signing. Disabling SMB signing in Windows or resorting to SMB1 as a workaround is not advised, as it opens the door to potential interception and relay attacks.
Enabling SMB signing may impact the performance of SMB copy operations. However, this can be mitigated by employing more physical CPU cores or virtual CPUs, as well as utilizing newer and faster CPUs. While enhanced security measures are essential, Microsoft recognizes the need for maintaining optimal system performance.
Windows administrators can easily manage SMB signing settings using PowerShell commands. To view the current SMB signing settings, the following PowerShell commands can be executed:
Get-SmbServerConfiguration | fl requiresecuritysignature
Get-SmbClientConfiguration | fl requiresecuritysignature
To disable the requirement for SMB signing in client connections, run the following PowerShell command as an elevated administrator:
Set-SmbClientConfiguration -RequireSecuritySignature $false
To disable the requirement for SMB signing in server connections, including Windows 11 Insider Preview Build 25381 and higher with Enterprise edition devices, execute the following PowerShell command as an elevated administrator:
Set-SmbServerConfiguration -RequireSecuritySignature $false
Windows 11 Insider Preview Build 25381 brings a significant security enhancement to the SMB protocol with the mandatory requirement for SMB signing in Enterprise editions. By ensuring the integrity and authenticity of data transferred between devices, Microsoft is taking proactive steps to protect users from potential interception and relay attacks.
Administrators can easily manage SMB signing settings through PowerShell commands, enabling them to fine-tune security settings while maintaining system performance. With these improvements, Microsoft continues to prioritize the security of Windows and Windows Server, providing users with a more secure and reliable computing environment.
Thank you for visiting our website!
We value your engagement and would love to hear your thoughts. Don't forget to leave a comment below to share your feedback, opinions, or questions.
We believe in fostering an interactive and inclusive community, and your comments play a crucial role in creating that environment.