Microsoft removes SMB1 firewall rules in latest Windows 11 update

Windows 11 is taking another stride towards bolstering its security by discontinuing the automatic setup of SMB1 protocol-related firewall rules in the latest Canary Channel Insider Preview Build 25992.

Previously, from the days of Windows XP SP2, creating new SMB shares would trigger the addition of firewall rules within the "File and Printer Sharing" group for selected firewall profiles. The latest change, however, will see Windows 11 favor the newer "File and Printer Sharing (Restrictive)" group, which excludes inbound rules for NetBIOS ports 137-139, remnants of the outdated SMB1 protocol.

"This adjustment promotes a more secure network by default and aligns SMB firewall rules more closely with those of the Windows Server 'File Server' role," explained Amanda Langowski and Brandon LeBlanc from Microsoft.

Administrators still retain the flexibility to configure the original "File and Printer Sharing" group or modify the new firewall group as needed.

Ned Pyle, a Principal Program Manager at Microsoft, added that future updates would further refine these rules. The aim is to eliminate inbound ICMP, LLMNR, and Spooler Service ports, narrowing it down to only those ports essential for SMB sharing.

Moreover, the SMB client has evolved to support connections with an SMB server over custom network ports via TCP, QUIC, or RDMA, moving beyond the previous limitation to fixed ports for TCP/445, QUIC/443, and RDMA iWARP/5445.

​

Enhancing Windows Security Step by Step

These changes are part of Microsoft's broader initiative to upgrade the security of Windows and Windows Server, as evidenced by recent updates.

The introduction of Windows 11 Insider Preview Build 25982 in the Canary Channel now allows administrators to mandate SMB client encryption for all outgoing connections. This enforcement ensures that all servers support SMB 3.x and encryption, safeguarding connections from potential eavesdropping and interception threats.

Additionally, Windows 11 systems can be set up to block the transmission of NTLM data over SMB on remote outbound connections, as seen in Windows 11 Insider Preview Build 25951. This measure is designed to protect against pass-the-hash, NTLM relay, and password-cracking attacks.

Furthermore, the Canary Build 25381 of Windows 11 Insider Preview mandated SMB signing by default for all connections to shield against NTLM relay attacks.

In April of the previous year, Microsoft embarked on the last phase of phasing out the archaic SMB1 file-sharing protocol for Windows 11 Home Insiders.

In a move to reinforce defenses against brute-force attacks, September 2022 saw the introduction of an SMB authentication rate limiter. This feature is aimed at lessening the impact of failed inbound NTLM authentication attempts, marking another milestone in Microsoft's commitment to enhancing the security of its operating systems.