Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security


Microsoft on Friday announced that SMB signing is now a default requirement in Windows 11 Enterprise editions, starting with insider preview build 25381.

Also known as security signatures, SMB signing (Server Message Block signing) is a security mechanism where every SMB message contains a signature meant to confirm the identities of the sender and the receiver.

Available since Windows 98 and Windows 2000, SMB signing would block modified messages by checking the hash of the entire message, which the client puts into the signature field.

The security mechanism is meant to prevent relay attacks, but it has not been enabled by default in Windows 10 and Windows 11, except for connections to shares named SYSVOL and NETLOGON and if Active Directory (AD) domain controllers were set to require SMB signing for client connections.

All Windows and Windows Server versions support SMB signing, and the feature is now enabled by default for all connections, starting with Windows 11 insider preview build 25381 Enterprise editions, released in the Canary channel.

“This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape,” Microsoft explained. 

Read more…