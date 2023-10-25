Microsoft is taking a significant step towards strengthening the security of Windows 11 systems with the introduction of mandatory SMB (Server Message Block) client encryption for all outbound connections. With the latest Windows 11 Insider Preview Build 25982, administrators now have the ability to enforce encryption on SMB connections, ensuring end-to-end data security.

SMB encryption, first introduced with SMB 3.0 on Windows 8 and Windows Server 2012, provides data encryption for file sharing. The integration of AES-256-GCM cryptographic suites in Windows 11 and Windows Server 2022 further enhances the security capabilities of SMB encryption.

By making it mandatory for destination servers to support SMB 3.x and encryption, Windows administrators can protect against eavesdropping and interception attacks. This requirement means that clients can only establish a connection if the server meets the encryption criteria, providing a robust defense mechanism.

Microsoft Principal Program Manager, Ned Pyle, explains that administrators can now configure the SMB client to always require encryption, regardless of the server or specific requirements. This global enforcement of SMB encryption ensures that all connections on a Windows machine utilize SMB 3.x and refuse to connect if the server does not support encryption.

To configure this option, administrators can use PowerShell or the ‘Require encryption’ group policy in the Computer Configuration > Administrative Templates > Network > Lanman Workstation settings.

This new feature complements the existing security enhancements in Windows 11. In previous Insider Preview Builds, Microsoft enabled the automatic blocking of NTLM data transmission over SMB, effectively thwarting pass-the-hash, NTLM relay, and password-cracking attacks. The requirement for SMB signing default further strengthens defenses against NTLM relay attacks.

While SMB encryption provides robust tamper protection, SMB signing enhances performance. Administrators should weigh the benefits of each feature against potential overhead and compatibility issues. However, Pyle emphasizes that SMB encryption supersedes SMB signing, offering the same level of tamper protection. Therefore, requiring both encryption and signing serves no purpose.

These security enhancements are part of Microsoft’s ongoing commitment to fortifying Windows and Windows Server. The company has made substantial progress in disabling the outdated SMB1 protocol and has implemented an SMB authentication rate limiter to mitigate brute-force attacks.

Frequently Asked Questions

1. What is SMB encryption?

SMB encryption is a feature that provides end-to-end data encryption for file sharing in Windows systems. It ensures that sensitive information transmitted through SMB connections remains secure and protected from eavesdropping or interception.

2. How can administrators enforce SMB client encryption?

Administrators can enforce SMB client encryption in Windows 11 through the use of PowerShell or the ‘Require encryption’ group policy in the Lanman Workstation settings.

3. Does requiring SMB encryption impact performance?

SMB encryption can introduce performance overhead and compatibility considerations. Administrators should balance the need for security with performance requirements. SMB signing, which has better performance and tamper protection, can be an alternative to encryption but does not provide snooping protection.

4. What are the benefits of SMB encryption in Windows 11?

SMB encryption enhances data security encrypting file-sharing communications, defending against eavesdropping and interception attacks. It ensures that clients can only establish connections with servers that support SMB 3.x and encryption, thereby providing a robust defense mechanism.