Microsoft is cracking down on NTLM relaying. To that end, it is mandating SMB signing for all Windows 11 devices.
A Windows 11 feature that mandates SMB signing is rolling out in the Insider channel. This security signature prevents hackers from tampering with a message during transmission.
Tampering the Microsoft protocols
The goal is to stop NTLM relay attacks. NTLM is a set of security protocols Microsoft uses to enable authentication. It is however still possible to tamper with this protocol. In NTLM relaying, an attacker manipulates network devices to allow server authentication requests. The attacker uses an infected server to grant himself more permissions and hijack the entire network device.
SMB (Server Message Block) signing makes this impossible. Because once a hacker tampers with a message during transmission, the security signature betrays it. The security mechanism has existed in the Windows environment since Windows 98 and 2000. Microsoft is now tinkering with an improved signature version because data encryption has recently undergone significant changes.
If SMB signing was not yet allowed by a third party or the mechanism unmasked an attacker, one of the following error messages appears: “0xc000a000,” “-1073700864,” “STATUS_INVALID_SIGNATURE,” or “The cryptographic signature is invalid.” If it is down to the third-party server, you can just enable support for SMB signing on the device.
“SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs,” Microsoft warns its Insiders.