Company Microsoft announced that from the second of June for all connections to network resources in the insider assembly Windows 25381 Signature will be required by default SMB (SMB Signing). This is a precaution against relay NTLM attacks (attacks like NTLM Relay), in which attackers can spoof the identity of devices on the network and take full control of the Windows domain.

“This changes the previous behavior where Windows 10 and 11 only required SMB signing by default when connecting to SYSVOL and NETLOGON shares, and domain controllers Active Directory required SMB signing for any connection to them,” Microsoft said.

SMB signing allows you to block malicious authentication requests by verifying the identity of the sender and recipient using special codes embedded at the end of each message.

SMB servers and remote folders that have SMB signing disabled will cause connection errors with various messages such as “The cryptographic signature is invalid”, “STATUS_INVALID_SIGNATURE”, “0xc000a000”, or “-1073700864”.

This security mechanism has been available for a very long time since Windows 98 and 2000, but it has been updated in Windows 11 and Windows Server 2022 to improve security.

While blocking NTLM relay attacks should be a priority for any security team, Windows administrators may not favor this approach. It’s all about reducing the data transfer rate over the SMB protocol.

“SMB signing can degrade the performance of SMB copy operations. You can mitigate this with more physical or virtual processor cores, as well as newer and faster processors,” Microsoft warned.

“Expect this default signing change to roll out to Pro, Education, and other editions of Windows over the next few months, as well as Windows Server. Depending on how things go for Insiders, it will then start showing up in major releases,” said Ned Pyle, chief program manager at Microsoft.

If administrators believe that SMB signing requirements on specific connections are not required, Microsoft has provided a loophole to disable the innovation. Running the following commands from an elevated PowerShell terminal will disable SMB signature verification:

Set-SmbClientConfiguration -RequireSecuritySignature $false

Set-SmbServerConfiguration -RequireSecuritySignature $false

After executing these commands, a system reboot is not required, but SMB connections that are already open will continue to use the signature until they are closed.

This innovation of the Redmond company is part of a broader movement to improve the security of Windows and Windows Server, which began last year. So, in April 2022, Microsoft announced about the final step of deprecating the SMB1 protocol on Windows by disabling it by default for Windows 11 Home Insiders. And five months later announced Enhanced protection against brute-force attacks with the introduction of an SMB authentication rate limiter to address failed NTLM authentication attempts at login.