Jump to content
  • Windows 11 Canary Insider Build 25951 adds SMB NTLM Blocking and Dialect Management


    Karlston

    • 719 views
    • 3 minutes
     Share


    • 719 views
    • 3 minutes

    Microsoft has released the latest Windows 11 build for the members of the Windows Insider Program on the Canary channel. The new build number is 25951 and includes a couple of new SMB related features, along with a bug fix and a couple of known issues. You can also download the ISO files for this build.

     

    Here is the changelog:

     

    What’s new in Build 25951

     

    SMB NTLM Blocking

     

    Starting with this build (Build 25951), the SMB client now supports blocking NTLM for remote outbound connections. This changes legacy behavior, where Windows SPNEGO would negotiate Kerberos, NTLM, and other mechanisms with the destination server to decide on a supported security package. NTLM in this case refers to all versions of the LAN Manager security package: LM, NTLM, and NTLMv2.

     

    With this new option, an administrator can intentionally block Windows from offering NTLM via SMB. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and cannot brute force, crack, or pass a password, as they will never be sent over the network. This adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. You can configure this option with Group Policy and PowerShell. You can also block the use of NTLM in SMB connections on demand with NET USE and PowerShell.

     

    For more information on configuring and troubleshooting NTLM blocking, review https://aka.ms/SmbNtlmBlock.

     

    SMB Dialect Management

     

    Starting with this build (Build 25951), the SMB server now supports controlling which SMB 2 and 3 dialects it will negotiate. This changes legacy behavior, where Windows SMB always negotiated the highest matched server dialect from SMB 2.0.2 to 3.1.1 clients. Beginning in Windows 10, support was added for controlling SMB client dialects, but not server dialects.

     

    With this new option, an administrator can remove older SMB protocols from usage in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting.

     

    You can configure this option with Group Policy and PowerShell. Both SMB client and server now include complete management support (previously the client support was only manual registry editing).

     

    For more information on understanding and configuring SMB dialects, review https://aka.ms/SmbDialectManage.

     

    Changes and Improvements

     

    [Lock screen]

     

    • We’ve adjusted the network flyout on the Lock screen to better match the UI of the network flyout from quick settings in system tray on the taskbar.

     

    Known issues

     

    • Some popular games may not work correctly on the most recent Insider Preview builds in the Canary Channel. Please be sure to submit feedback in Feedback Hub on any issues you see with playing games on these builds.

    • [NEW] We’re investigating reports that the print queue is no longer accessible.

     

    You can check out the full blog post here:

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...