Windows 11 Insider Preview Build 25982 Introduces Improved SMB Encryption
Source: Windows Insider Blog
In the latest update, Windows 11 Insider Preview Build 25982, significant improvements have been made to the SMB encryption system (Server Message Block) for participants in the Canary Channel Microsoft program. Windows administrators can now require encryption for all outgoing SMB compounds, providing end-to-end encryption (E2ee) for data. Encryption can be activated for individual resources or the entire file server via Windows Admin Center, Windows PowerShell, or UNC Hardening.
The ability to encrypt SMB was first introduced in SMB 3.0 on Windows 8 and Windows Server 2012. However, support for cryptographic sets AES-256-GCM was only added to Windows 11 and Windows Server 2022.
The new encryption option can be configured using PowerShell or Group Policy to “Demand encryption” in the “Computer Configuration” -> “Administrative Templates” -> “Network” -> “Lanman” -> “Lanman Workstation”.
Group Policy of Windows 11 “Require Encryption”
Source: Tech Community Microsoft Blog
A representative of Microsoft noted on the blog that administrators can now forcefully enable SMB encryption on all formations and refuse to connect if the SMB server does not support such encryption. This measure is designed to protect against attempts to intercept data.
In addition, starting from the Windows 11 Insider Preview Build 25951, administrators can configure the systems to automatically block NTLM data through SMB, preventing PTH attacks on the Windows base that use the NTLM protocol for authentication. However, modern versions of Windows include protection measures to reduce the risk of “Pass-The-Hash” attacks.