SMB signing to be required by default in Windows 11

SMB signing to be required by default in Windows 11 Microsoft has said that it will require SMB (Server Message Block) signing (aka security signatures) by default for all connections to defend against NTLM relay attacks in Windows 11, starting with the latest Windows build (Enterprise edition) rolling out to Insiders in the Canary Channel.

Such attacks require network devices (including domain controllers) to impersonate malicious servers under the attackers' control and elevate privileges so they can gain complete control over the Windows domain. "This changes legacy behaviour, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them," Microsoft said in a blogpost.

SMB signing aids in the detection of malicious authentication requests by confirming the identities of the sender and receiver via signatures and hashes embedded at the end of each message.