With the launch of Windows 11 Insider Preview Build 25951 (Canary), Microsoft has added a new security feature that lets admins block New Technology Lan Manager (NTLM) over the file-sharing protocol Server Message Block (SMB) to prevent password-cracking attacks.
More specifically, the SMB client supports blocking NTLM for remote outbound connections in a change to a legacy protocol that is no longer considered as secure.
Because the change is designed to prevent a user’s hashed password from being sent to a remote server, eligible Windows 11 users can prevent these types of attacks altogether.
SMB NTLM blocking coming to Windows 11
Microsoft worker Ned Pyle summarized the update: “With this new option, an administrator can intentionally block Windows from offering NTLM via SMB. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and cannot brute force, crack, or pass hashes.”
Pyle added that the change would allow enterprise customers to access enhanced security without having to disable NTLM usage fully, stating: “A later Windows Insider release will allow administrators to control SMB NTLM blocking to specific servers with an allow list.”
As well as preventing password-cracking attacks, blocking NTLM over SMB can help to prevent pass-the-hash attacks and NTLM relay attacks.
The announcement, which also provided a set of instructions for configuring the option via Group Policy and PowerShell. made no mention of general availability.
However the change is already being made in the Canary Channel and a full release could be on the cards fairly soon as the company looks to implement changes as part of a wider shakeup.
According to Microsoft, the change is one that lays the foundation for a larger strategy to end NTLM usage throughout Windows, and further announcements have been slated for “the coming weeks.”