| title | description | ms.topic | author | ms.author | ms.date |
|---|---|---|---|---|---|
Block NTLM connections on SMB (preview) |
Learn how to make SMB more secure by blocking NTLM. |
how-to |
Heidilohr |
helohr |
03/07/2024 |
Important
Windows Server Insider builds are in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
The SMB client now supports blocking NTLM authentication for remote outbound connections. Blocking NTLM authentication prevents bad actors from tricking clients into sending NTLM requests to malicious servers, counteracting brute force, cracking, and pass-the-hash attacks. NTLM blocking is also required for switching an organization's authentication protocols to Kerberos, which is more secure than NTLM because it can verify server identities with its ticket system. However, organizations can also enable this layer of protection without having to disable NTLM entirely.
NTLM blocking for the SMB client requires the following prerequisites:
- An SMB client running on one of the following operating systems.
- Windows Server Insiders build 25951 or later.
- Windows 11 Insiders build 25951 or later.
- An SMB server that allows using Kerberos.
Tip
NTLM blocking is an SMB client capability only. The SMB client is built into both Windows Server and Windows client operating systems. The destination SMB server can be any operating system where PKU2U or kerberos can be used.
Starting with Windows Server Insiders build 25951 and Windows 11 Insiders build 25951, you have the option to configure SMB to block NTLM. To improve the security of deployments running earlier versions of Windows, you must disable NTLM manually, either by editing the relevant Group Policy or running a specific command in PowerShell.
To configure NTLM blocking:
-
Open the Group Policy Management Console.
-
In the console tree, go to Computer Configuration > Administrative Templates > Network > Lanman Workstation.
-
Right-click Block NTLM (LM, NTLM, NTLMv2) and select Edit.
-
Select Enabled.
-
Open an elevated PowerShell window.
-
Run the following command to enable NTLM blocking.
Set-SMbClientConfiguration -BlockNTLM $true
There might be scenarios where you need to allow certain machines to use NTLM instead of blocking it globally. For example, when the SMB server you're trying to connect to isn't joined to an Active Directory domain.
To enable a list of exceptions to NTLM blocking:
-
In the Group Policy Editor Console tree, go to Computer Configuration > Administrative Templates > Network > Lanman Workstation.
-
Right-click Block NTLM Server Exception List and select Edit.
-
Select Enabled.
-
Enter the IP addresses, NetBIOS names, and fully qualified domain names (FQDNs) of the remote machines you want to allow NTLM authentication to.
There isn't currently a PowerShell equivalent to the Block NTLM Server Exception List Group Policy object. In order to set up an exception list, you must go into the Group Policy Editor and configure the setting manually. However, once you've completed the manual setup, you can make individual exceptions for certain IPs by running this command with the DNS name, IP address, or NetBIOS name in the AddToList parameter:
$params = @{
Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation"
Name = "BlockNTLMServerExceptionList"
}
$CurrentValue = (Get-ItemProperty @params).BlockNTLMServerExceptionList
$params["Value"] = if ($CurrentValue -eq $null) { @("") } else { $CurrentValue + "AddToList" }
Set-ItemProperty @params You can also add multiple variables to the AddToList parameter by separating them with a comma, as shown in the following example command:
$params = @{
Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation"
Name = "BlockNTLMServerExceptionList"
}
$CurrentValue = (Get-ItemProperty @params).BlockNTLMServerExceptionList
$params["Value"] = if ($CurrentValue -eq $null) { @("") } else { $CurrentValue + "192.168.10.10","corp.contoso.com","CORP" }
Set-ItemProperty @params You can also block NTLM when mapping new SMB drives by running the following commands.
Run this command to specify NTLM blocking when mapping a drive with NET USE:
NET USE \\server\share /BLOCKNTLMRun this command to specify NTLM blocking when mapping an SMB drive:
New-SmbMapping -RemotePath \\server\share -BlockNTLM $true