Out of the box, Windows 11 allows only one failed SMB login attempt every two seconds. Microsoft hopes to reduce Windows’ attractiveness to brute-force attacks.
Microsoft has enabled a new security feature that should significantly reduce the chances of success for brute-force attacks on SMB servers running Windows 11. The default setting is now a “forced pause” of two seconds after each failed authentication attempt via NTLM.
So far, however, the so-called Authentication Rate Limiter is only active ex works under Windows 11 Build 25206, the latest pre-release version in the Developer Channel of the Insider program. “The goal is to make a Windows client an unattractive target, either in a workgroup or for local accounts if it belongs to a domain,” the Windows Insider Blog states.
Previously, it was possible to launch, for example, 300 brute-force logon attempts against a client from a client. Thus, within five minutes, a hacker could test 90,000 different passwords for logging in. With the two-second delay after each failed login attempt, the same number of attempts would take at least 50 hours.
Other new features for Windows 11
Microsoft points out that although the SMB server is active in all versions of Windows 11, it is not accessible from the outside at the factory. For this, the firewall would have to be opened or an SMB share would have to be set up that opens the firewall.
In addition, the delay of 2000 milliseconds (2 seconds) is triggered as soon as an invalid user name or password is sent to an SMB server. It would be active on all versions of Windows 11 starting with build 25206. However, the feature remains disabled in Insider versions of Windows Server, Microsoft added.
With build 25206, Microsoft also introduces a new “Open with” dialog. In addition, Dynamic Refresh Rate (DRR) is available for external displays. This requires a monitor with a refresh rate of at least 120 Hz that supports Variable Refresh Rate (VRR).
Microsoft also fixes numerous bugs, including in OneDrive, the settings, the search and the Windows Sandbox. A list of all fixes as well as the still known problems can be found in the blog entry for build 25206.