Heya folks, Ned here again. Starting with Windows 11 Insider preview Build 25992 (Canary) and Windows Server Preview Build 25997, creating SMB shares changes a longtime Windows Defender Firewall default behavior.
Update April 4, 2024: official documentation now available at Secure SMB Traffic in Windows Server | Microsoft Learn
Before
Previously, creating a share automatically configured the firewall to enable the rules in the “File and Printer Sharing” group for the given firewall profiles. This began in Windows XP SP2 with the introduction of the then-new built in firewall, and the rule was designed for both SMB1 and ease of deployment of a wide array of SMB-using technology, including printing, legacy group policy, and others.
Now
Windows now automatically configures the new “File and Printer Sharing (Restrictive)” group when you create an SMB share, which no longer contains inbound NetBIOS ports 137-139. Those ports are not used by SMB2 or later and are an artifact of SMB1. If you reinstall SMB1 server for some legacy compatibility reason, you will need to ensure that those firewall ports are reopened.
This change enforces a higher degree of default of network security as well as bringing SMB firewall rules closer to the Windows Server “File Server” role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the “File and Printer Sharing” group if necessary as well as modify this new firewall group, these are just default behaviors.
Final Note
We plan future updates for this rule to also remove inbound ICMP, LLMNR, and Spooler Service ports and restrict down to the SMB sharing-necessary ports only.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
Ned Pyle