Microsoft has recently updated its Windows 11 Security Policy, allowing administrators to block the NTLM authentication protocol when working with SMB (Server Message Block) as part of efforts to enhance system security. By blocking NTLM, the function aims to protect the system from attacks such as PASS-THE-HASH and NTLM Relay. This update significantly reduces the risks associated with vulnerabilities in the authentication and encryption mechanisms of SMB.
SMB is a network protocol that facilitates access to files, printers, and various ports between devices in the same network. While it includes authentication and encryption mechanisms to ensure safe access to resources, it is in this area that vulnerabilities often arise, leaving the system susceptible to attacks.
In the earlier versions of Windows, authentication relied on the SPNEGO technology, which supported multiple protocols including Kerberos and NTLM. However, NTLM, which generates a hash from user passwords and sends them to the server for verification, has proven to be less reliable in terms of security.
The updated security policy of Windows 11 now allows administrators to disable NTLM through group policies or PowerShell. By doing so, the risk of intercepted and hacked hash passwords is eliminated as they are no longer sent to remote servers. In the future, a list of exceptions will be created to specify servers for which the blocking will not apply.
In addition to the NTLM block, the update also introduces a new function for managing SMB dialects. This allows administrators to limit the connection of old and unprotected devices. By default, the system now requires SMB signature (Security Signatures) for all connections, providing an additional barrier against NTLM Relay Attacks.
Microsoft’s update is part of a larger initiative to improve safety in its Windows and Windows Server line of products. Earlier this year, the outdated SMB1 protocol was disabled, and an SMB authentication speed limiter was introduced to minimize the risks of attack methods like brute-forcing.
Overall, this new function in Windows 11 provides administrators with greater control over the network and enhanced protection for user data.