Hello Windows Server Insiders!
Today we are pleased to release a new build of the next Windows Server Long-Term Servicing Channel (LTSC) Preview that contains both the Desktop Experience and Server Core installation options for Datacenter and Standard editions. Branding has not yet been updated and remains as Windows Server 2022 in this preview - when reporting issues please refer to "VNext" rather than Windows Server 2022 which is currently in market.
What's New
SMB NTLM Authentication Rate Limiter
SMB isn't just a file server running on tens of millions of Windows Server machines, it's a ubiquitous service on more than a billion Windows 10 and 11 computers. While not remotely accessible by default, and even though not all machines are dedicated file servers, IT staff often enable access to the SMB server for legitimate organizational reasons like file transfers. A side effect of this ubiquity is SMB can be a useful authentication mechanism for bad actors to attempt brute force dictionary attacks. After enumerating or guessing Active Directory or local account names through other means, an attacker can send NTLM logons to a machine at high rate - dozens to hundreds of attempts per second - in an attempt to guess their password. If an organization has no intrusion detection software or does not set a password lockout threshold, an attacker might guess a user's password in a matter of hours or less.
Starting in Windows Insider build 25069.1000.220302-1408 and later on Windows 11 and Windows Server 2022, the SMB Server service now implements a default 2-second delay between each failed NTLM-based authentication. This means that if an attacker previously sent 300 brute force attempts per second from a client for 5 minutes, the same number of attempts would now take 25 hours at a minimum. This setting is controllable by an administrator and can also be disabled. It's possible the default time and behaviors may change after we evaluate usage in Insiders and take feedback; it's also possible some third-party applications may have problems with this new feature - please use Feedback Hub to file bugs if you find that disabling the feature resolves your application's issue.
This feature is controlled with PowerShell cmdlet:
Set-SmbServerConfiguration -InvalidAuthenticationDelayTimeInMs n
The value is in milliseconds, must be a multiple of 100 and can be 0-10000. Setting to 0 disables the feature.
To see the current value, run:
Get-SmbServerConfiguration
This behavior change has no effect on Kerberos, which authenticates before an application protocol like SMB connects. It is designed to be another layer in your defense in depth planning. This continues the new generation of SMB and file server security enhancements first begun with SMB over QUIC in Windows 11 and Windows Server 2022. We will deprecate and remove many legacy SMB and pre-SMB protocol behaviors over the next few major releases of operating systems in a security modernization campaign similar to the removal of SMB1.
Available Downloads
Keys: Keys are valid for preview builds only.
- Windows Server Long-Term Servicing Channel Preview in ISO format in 18 languages, and in VHDX format in English only.
- Microsoft Server Languages and Optional Features Preview
Symbols: available on the public symbol server – see Using the Microsoft Symbol Server.
- Server Standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH
- Datacenter: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67
Expiration: This Windows Server Preview will expire September 15, 2022.
How to Download
Registered Insiders may navigate directly to the Windows Server Insider Preview download page. If you have not yet registered as an Insider, see GETTING STARTED WITH SERVER on the Windows Insiders for Business portal.
We value your feedback!
The most important part of the release cycle is to hear what's working and what needs to be improved, so your feedback is extremely valued. For Windows Server, use your registered Windows 10 or Windows 11 Insider device and use the Feedback Hub application. In the app, choose the Windows Server category and then the appropriate subcategory for your feedback. In the title of the Feedback, please indicate the build number you are providing feedback on as shown below to ensure that your issue is attributed to the right version:
[Server #####] Title of my feedback
See Give Feedback on Windows Server via Feedback Hub for specifics. We also encourage you to visit the Windows Server Insiders space on the Microsoft Tech Communities forum to collaborate, share and learn from experts. The Insider forum supports pre-release builds of the next version of Windows Server. For versions that have been released to general availability in market, try the Windows Server for IT Pro forum or contact Support for Business.
Diagnostic and Usage Information
Microsoft collects this information over the internet to help keep Windows secure and up to date, troubleshoot problems, and make product improvements. Microsoft server operating systems can be configured to turn diagnostic data off, send Required diagnostic data, or send Optional diagnostic data. During previews, Microsoft asks that you change the default setting to Optional to provide the best automatic feedback and help us improve the final product.
Administrators can change the level of information collection through Settings. For details, see http://aka.ms/winserverdata. Also see the Microsoft Privacy Statement.
Terms of Use
This is pre-release software - it is provided for use "as-is" and is not supported in production environments. Users are responsible for installing any updates that may be made available from Windows Update. All pre-release software made available to you via the Windows Server Insider program is governed by the Insider Terms of Use.
Source:
Announcing Windows Server Preview Build 25075
Hello Windows Server Insiders! Today we are pleased to release a new build of the next Windows Server Long-Term Servicing Channel (LTSC) Preview that contains..
techcommunity.microsoft.com