Microsoft Previews Brute-Force NTLM Login Attempt Delay in Windows Server
Microsoft Previews Delaying Brute-Force NTLM Login Attempts in Windows Server
Microsoft this week announced a preview of its upcoming enhancements to Windows Server (“VNext”), which includes a new approach to deter brute-force attempts to guess system passwords and gain network access.
This new approach is known as the Windows NT LAN Manager (NTLM) Server Message Block (SMB) Authentication Rate Limiter. The rate that this feature limits is the period of time between attempts to guess passwords for NTLM logins. Microsoft is now previewing this feature in its new Windows Server Insider build 25075 for use by testers.
The idea behind the SMB Authentication Rate Limiter is to thwart attackers who use automated “dictionary” methods to guess NTLM connections. NTLM is an older challenge-response authentication protocol that is still supported for use with Windows system authentications, although Microsoft recommends using Kerberos instead.
To invoke the SMB Authentication Rate Limiter, IT pros use a PowerShell commandlet. It allows them to specify the delay between NTLM login attempts in milliseconds. Microsoft has already specified a default timeout of two seconds (2,000 milliseconds) for Windows Insider Program testers, affecting Windows 11 and Windows Server 2022 operating systems.
“As of Windows Insider build 25069.1000.220302-1408 and later on Windows 11 and Windows Server 2022, the SMB Server service now implements a default delay of 2 seconds between each NTLM-based authentication failure,” explains the announcement.
IT pros can set the timeout however they like, but Microsoft is experimenting with the default two seconds. He wants feedback on using the SMB Authentication Rate Limiter Preview, as “some third-party apps may experience issues with this new feature.” Microsoft may also change the default timeout, based on user feedback it receives.
Kerberos users can relax, because “this behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects,” the announcement explains.
Essentially, Microsoft is trying to make life difficult for brute-force password guessers with the SMB Authentication Rate Limiter feature.
Attackers can typically use “common open source tools” to send NTLM login attempts at a rate of “hundreds of login attempts per second,” said Ned Pyle, senior program manager for the Windows Server engineering group, in this Microsoft Tech Community post (which includes a demo).
When 300 brute-force password guessing attempts per second are sent by an attacker over five minutes, that’s 90,000 password attempts in a relatively short period of time. However, adding a default two-second delay between such password attempts would lengthen such an attack period to “a minimum of 25 hours”, Pyle explained. Such a delay can make Windows Server less attractive as a target.
Microsoft plans to add the SMB Authentication Rate Throttling feature to its next new versions of the Windows operating system, both server and client, this year, and the feature may also be backported to older Windows Server products. , according to Pyle, in this discussion on Twitter. Here’s how Pyle put it:
Functionality [SMB authentication rate limiter] will come in the next major server and client OS release, in the WS2022 Azure Edition Annual Update later this year, and likely as a backport in WS2022 and possibly 2019. It will take see how the preview goes.
Pyle referred to the SMB Authentication Rate Throttling feature as another SMB security enhancement Microsoft has made since the release of Windows 11 and Windows Server 2022. “Legacy” or older behaviors of SMB will be covered in future versions of the Windows operating system, Pyle added. .
We will change, deprecate, or remove many legacy SMB and pre-SMB protocol behaviors in future major operating system releases as part of a security modernization campaign, similar to the removal of SMB1. I will have a lot more to share over the coming year, stay tuned.
Windows Server Insider Programs from Microsoft
The Windows Server Insider program allows IT professionals to test and provide feedback on features that may or may not come in a future Windows Server update release. This release of build 25075 is a preview of the next server release, and not necessarily the current Windows Server 2022 product, Microsoft’s announcement pointed out.
“The brand has not yet been updated and remains Windows Server 2022 in this preview – when reporting issues, please refer to ‘VNext’ rather than Windows Server 2022 which is currently in the market,” said explained the announcement.
Microsoft plans to launch an Insider program specifically for Windows Server 2022 Datacenter Azure Edition users, followed by another for Azure Stack HCI Azure Edition users, Pyle noted, in this March 15 tech community post.