Microsoft has announced the release of Windows 11 Insider Preview Build 25381 to the Canary Channel. This update brings significant improvements to the security of Windows and Windows Server, particularly regarding Server Message Block (SMB) signing.

 

With SMB signing now required by default for all connections in the Enterprise editions, Microsoft aims to enhance the security posture of its operating systems in the modern landscape.

 

Windows 11 Insider Preview Build 25381 Implements SMB Signing
Windows 11 Build 25381 Boosts Security with SMB Signing Requirement

 

  • Windows 11 Insider Preview Build 25381 introduces mandatory SMB signing for all connections in Enterprise editions, enhancing security.
  • SMB signing ensures data integrity and authenticity, preventing unauthorized tampering or interception.
  • Third-party SMB servers should be configured to support SMB signing to avoid error messages and potential attacks.
  • The performance impact of SMB signing can be mitigated with more CPU cores or faster CPUs.
  • PowerShell commands allow easy management of SMB signing settings for clients and servers.

 

 

The Importance of SMB Signing

SMB signing is a security feature that helps prevent unauthorized tampering or interception of data transferred between devices using the SMB protocol. It ensures the integrity and authenticity of data by appending a digital signature to SMB packets.

 

By requiring SMB signing by default for all connections, Microsoft is taking a proactive approach to safeguarding sensitive information and protecting users from potential interception and relay attacks.

 

 

Changes in Legacy Behavior

Previously, Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON, and when Active Directory domain controllers required SMB signing for client connections. With Build 25381, this behavior has changed, and SMB signing is now mandatory for all connections in Windows 11 Enterprise editions.

 

This update aligns with Microsoft's ongoing efforts to improve security in Windows and Windows Server.

 

 

Addressing Third-Party Compatibility

While all versions of Windows and Windows Server support SMB signing, there may be cases where a third-party SMB server disables or does not support this feature. When attempting to connect to a remote share on such servers, users may encounter error messages such as "0xc000a000", "-1073700864", or "STATUS_INVALID_SIGNATURE".

 

To resolve this issue, Microsoft strongly recommends configuring the third-party SMB server to support SMB signing. Disabling SMB signing in Windows or resorting to SMB1 as a workaround is not advised, as it opens the door to potential interception and relay attacks.

 

 

Performance Considerations

Enabling SMB signing may impact the performance of SMB copy operations. However, this can be mitigated by employing more physical CPU cores or virtual CPUs, as well as utilizing newer and faster CPUs. While enhanced security measures are essential, Microsoft recognizes the need for maintaining optimal system performance.

 

 

Managing SMB Signing Settings

Windows administrators can easily manage SMB signing settings using PowerShell commands. To view the current SMB signing settings, the following PowerShell commands can be executed:

 

Get-SmbServerConfiguration | fl requiresecuritysignature
Get-SmbClientConfiguration | fl requiresecuritysignature

 

To disable the requirement for SMB signing in client connections, run the following PowerShell command as an elevated administrator:

 

Set-SmbClientConfiguration -RequireSecuritySignature $false

 

To disable the requirement for SMB signing in server connections, including Windows 11 Insider Preview Build 25381 and higher with Enterprise edition devices, execute the following PowerShell command as an elevated administrator:

 

Set-SmbServerConfiguration -RequireSecuritySignature $false

 

 

End Notes

Windows 11 Insider Preview Build 25381 brings a significant security enhancement to the SMB protocol with the mandatory requirement for SMB signing in Enterprise editions. By ensuring the integrity and authenticity of data transferred between devices, Microsoft is taking proactive steps to protect users from potential interception and relay attacks.

 

Administrators can easily manage SMB signing settings through PowerShell commands, enabling them to fine-tune security settings while maintaining system performance. With these improvements, Microsoft continues to prioritize the security of Windows and Windows Server, providing users with a more secure and reliable computing environment.

 

Have a question? Or, a comment? Let's Discuss it below...

Thank you for visiting our website!

We value your engagement and would love to hear your thoughts. Don't forget to leave a comment below to share your feedback, opinions, or questions.

We believe in fostering an interactive and inclusive community, and your comments play a crucial role in creating that environment.