Microsoft has unveiled new security controls for the Server Message Block (SMB) protocol, targeting IT professionals. These controls are now accessible in an early preview release through the Windows Insider Program.
SMB protocol is a method of sharing files and other things over a network. It lets computers see and use files on servers or other computers, as well as printers, pipes, and other devices. SMB means Server Message Block, which is the name of the pieces of data that are sent between the client and the server. SMB protocol works with TCP/IP or other network methods.
SMB protocol has been used by Windows from the start, but it has changed over time to add new things and make it faster. The newest version of SMB protocol is SMB 3, which came out in Windows Server 2012 and Windows 8. SMB 3 has new features like failover, scale out, multichannel, SMB direct, encryption, directory leasing, and performance improvements.
SMB NTLM Blocking: A Step Towards Enhanced Security
The tech giant has introduced two primary SMB security features. The first allows IT professionals to prevent the SMB NTLM (Windows New Technology LAN Manager) protocol from being utilized in outbound connections.
As Ned Pyle, a principal program manager for Microsoft's core OS engineering group, elaborated, connecting to Active Directory domain-joined computers using SMB with a domain user account should always result in Kerberos authentication. He emphasized, “Blocking NTLM should have no consequences to connectivity in this case.” Microsoft has been advocating for the use of Kerberos over NTLM for several years, citing Kerberos as a more robust authentication protocol.
SMB Dialect Management: Offering More Control
The second feature provides the ability to choose specific SMB “dialects” (like SMB 2 or SMB 3) for Windows servers. This is a departure from the traditional behavior where the Windows SMB server would always negotiate the highest matched server dialect. With this new feature, administrators can block certain SMB protocols, ensuring that only the most secure and capable devices can connect.
For instance, they can mandate the use of SMB 3.1.1, recognized as the most secure dialect of the protocol. This dialect management was previously available for SMB clients since the release of Windows 10, but its introduction for Windows servers marks a significant addition.