Microsoft Windows edges closer to SMB security signing fully required by default
'This is certainly the biggest change we've made since the campaign to remove SMB1'
Microsoft is getting closer to requiring cryptographic signing of SMB traffic by default for all connections on Windows 11 at least.
By that, the software giant means all SMB messages over the network will be digitally signed so that any tampering can be automatically detected, and senders and receivers can verify who they're talking to.
The IT titan made this signing a requirement in the latest Windows 11 Insider Preview build via the Canary Channel, a release channel reserved for features that are relatively raw that sysadmins, techies, and developers can try out and give feedback to Microsoft. If all goes well, the signing could well be rolled out across the board.
When launching the Canary Channel in March, Microsoft cautioned that not every feature released via that channel will make it into future versions of Windows. However, given Microsoft's efforts to harden its operating system – both generally and in particular SMB file sharing – something would have to go sideways for this default to not be included in future Windows iterations.
Ned Pyle, a principal program manager in Microsoft's Windows Server engineering group, wrote in a note to IT admins to expect the SMB signing requirement to come to Windows Pro, Education, and other editions – as well as Windows Server – in the next few months, adding that "depending on how things go in Insiders, it will then start to appear in major releases."
A significant change
Pyle told The Register the update is significant because while there has been SMB signing for decades, it typically only has been required by default for "a narrow set of Active Directory domain controller scenarios. This change tackles the whole SMB ecosystem, eventually including consumers, and it will move SMB third parties into a more secure default as well – just like our removal of SMB1 in Windows forced the industry to follow."
- Microsoft up in Arms over data-loss protection in Windows 11
- Microsoft scrambles to fix Windows 11 'aCropalypse' privacy-battering bug
- Why Microsoft just patched a patch that squashed an under-attack Outlook bug
- South Korea fines McDonald's for data leak from raw SMB share
SMB is the protocol Windows uses to transfer files over networks. As well as detecting tampering and impersonation, the signing should also thwart attempts at NTLM relay attacks. In such attacks, a miscreant on the network intercepts an attempt by a user to log into a server so that the attacker is logged in as the user.
"The client puts a hash of the entire message into the signature field of the SMB header," Pyle explained in his written note. "If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks."
A break from the old ways
In Windows 10 and 11, SMB signing was required by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required signing when a client connected to them, he wrote.
As of the Windows 11 Insider Preview Build 25381 Enterprise edition, signing is required by default for all connections.
"We've made substantial security progress in the last year for SMB but this is certainly the biggest change we've made since the campaign to remove SMB1," Pyle told us. "We have many more changes planned for SMB security this year in Insiders, some small defense-in-depth options, but also a few really big ones like this."
Everyone will be pleased with the new SMB security pieces coming unless they're on a red team or in organized crime
This is the latest in an ongoing effort to ensure SMB remains a large part of Windows security. Microsoft in 2022 disabled by default support for the SMB1 protocol in Windows, opting for the more secure SMB2. Five months later, Redmond turned the SMB rate limiter on by default in Windows Insider, throwing more challenges to miscreants making multiple authentication attempts.
This year brought turning off SMB insecure guest authentication by default in Windows Insider Pro editions and the beginning of the end for the insecure and unreliable Remote Mailslots, a holdover from the pre-Windows NT days.
There also have been improvements in the signing algorithms, including adding the HMAC SHA-256 method to SMB 2.02 and AES-CMAC in SMB 3.0. Within Windows 11 and Windows Server 2022, Microsoft added AES-128 GMAC signing acceleration.
Security is a never-ending challenge
All versions of Windows and Windows Server dating back to Windows NT support SMB signing. With signing by default required, if SMB signing is not present or broken on either end of the authentication request, you'll hit errors that include "0xc000a000," "-1073700864," "STATUS_INVALID_SIGNATURE," or "The cryptographic signature is invalid."
A drawback is that this signing can reduce the speed of SMB copy operations, though Microsoft said enterprises can address this by adding more physical CPU cores, virtual CPUs, or newer and faster CPUs.
As noted above, this is all part of many more changes coming to SMB, we're told.
"If you're maintaining a protocol and service, security improvements are never-ending, the threats keep evolving and the old ways get less palatable," Pyle said. "Everyone will be pleased with the new SMB security pieces coming unless they're on a red team or in organized crime." ®