Microsoft bring SMB NTLM Authentication Rate Limiter feature to Windows Server 2022

Various exploitation using rainbow tables and password dictionaries are happening online all the time. As long as they are exposed on the public Internet, there will be robots coming to the door at any time. The SMB network file sharing system is used by a large number of enterprises, so the blasting of the file-sharing system also threatens the security of the internal data of the enterprise.

There are many flaws in the SMB protocol. The Eternal Blue vulnerability that appeared in the past was in the SMB protocol. At that time, many enterprises were attacked because they were not updated in time. In addition to vulnerabilities, weak passwords are easily exploited by robots. Weak passwords and passwords with low strength are very easy for robots to crack. In response to this situation, Microsoft tested new corporate security policies, making conventional blasting methods basically unusable, which should significantly improve corporate security.

Windows Server Insider Preview build 19008

In the Windows Server vNEXT version, Microsoft has added SMB NTLM Authentication Rate Limiter feature. According to Microsoft’s instructions, “Starting in Windows Insider build 25069.1000.220302-1408 and later on Windows 11 and Windows Server 2022, the SMB Server service now implements a default 2-second delay between each failed NTLM-based authentication. This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes, the same number of attempts would now take 25 hours at a minimum.”

This feature is currently only supported on Windows Server vNEXT Build 25069 and above, and there are still some issues that need to be debugged. This feature is controlled by the enterprise administrator and is subsequently enabled by default, but can be disabled if the enterprise wishes to continue to use unlimited login. Some third-party applications may have errors in calling this feature, and if testers find this to be the case, they can disable it first and then submit feedback to Microsoft.

This feature is controlled with PowerShell cmdlet:

      Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n

The value is in milliseconds, must be a multiple of 100 and can be 0-10000. Setting to 0 disables the feature.

To see the current value, run: