Microsoft has made a significant change to the handling of firewall rules, particularly concerning the outdated SMB1 protocol, in its latest Windows 11 Insider Preview Build. The new approach aims to provide users with a higher standard of network security by aligning with the behavior of the Windows Server ‘File Server' role.
Dropping Outdated Protocols
Historically, creating Server Message Block (SMB) shares in Windows automatically added firewall rules within the “File and Printer Sharing” group for the corresponding firewall profiles, dating back to Windows XP SP2. However, with the newest Canary Channel Insider Preview Build 25992 from Microsoft, SMB shares will now trigger the configuration of the updated “File and Printer Sharing (Restrictive)” group. This update intentionally omits the inclusion of inbound NetBIOS ports 137-139, legacy artifacts from the original SMB1 protocol.
Amanda Langowski and Brandon LeBlanc of Microsoft expressed that future updates would further refine this new firewall group. These revisions will potentially remove inbound ICMP, LLMNR, and Spooler Service ports, limiting the configuration to only those necessary for SMB sharing. This decision serves to reinforce the overall security of the operating system against various network-based risks. If you are curious about disabling SMB1 in Windows 11, our tutorial can help you do it in a few minutes.
Embracing Advanced Connectivity and Encryption
Furthermore, the modernized SMB client within Windows 11 now facilitates connections with SMB servers across an array of custom network ports beyond the previously rigid defaults. Traditionally, the SMB protocol only accommodated TCP/445, QUIC/443, and RDMA iWARP/5445. These enhancements contribute to a more secure Windows ecosystem in the face of evolving cyber threats.
As part of its ongoing security initiative, Microsoft has also introduced changes that enable administrators to enforce SMB client encryption for all outbound connections. This ensures all connections are secure against potential eavesdropping and interception attacks by demanding destination servers support SMB 3.x and encryption. Additionally, features to block NTLM authentication data on outbound SMB connections and the requirement for SMB signing by default further safeguard against known attack methods like pass-the-hash and NTLM relay attacks.
Last year, Microsoft disclosed the final phase of deprecating the SMB1 file-sharing protocol, and in September 2022, added defenses against brute-force attacks with an SMB authentication rate limiter. These moves underline Microsoft's commitment to continuous security improvement in Windows operating systems and its response to the ever-changing landscape of cybersecurity threats.