Shulou(Shulou.com)11/24 Report--

CTOnews.com November 16, Microsoft today released Win11 Build 25997 preview update, but also released Windows Server Build 25997 preview version, mainly for the data center version and standard version to add SMB over QUIC.

CTOnews.com attached the update as follows:

What's new: data Center Edition and Standard Edition support SMB over QUIC starting from this version (Build 25997), Windows Server data Center Edition and Standard Edition both support SMB over QUIC, which was previously only available in Windows Server Azure Edition.

For more information about this update, please visit: https://aka.ms/SMBoverQUICServer.

Information about SMB over QUIC can be found at: https://aka.ms/SMBoverQUIC.

Changing SMB firewall rules begins with this version (Build 25997), and creating a SMB share will change the default behavior of the long-term Windows Defender firewall.

Previously, creating a share automatically configured the firewall to enable the rules in the File and Printer sharing group for a given firewall profile.

Windows now automatically configures the new File and Printer sharing (restricted) group, which no longer contains inbound NetBIOS ports 137139.

Microsoft plans to update this rule in the future to remove both inbound ICMP, LLMNR, and daemon service ports and limit them to only those required for SMB sharing.

This change enforces higher default standards for network security and brings SMB firewall rules closer to the Windows Server File Server role behavior.

If necessary, the administrator can still configure the File and Printer sharing group and modify this new fire wall group.

SMB NTLM blocking exception list Microsoft in Win11 Build 25951 preview, the SMB client will support NTLM that blocks remote outbound connections. Windows SPNEGO negotiates Kerberos, NTLM, and other mechanisms with the target server to determine which security packages are supported.

CTOnews.com Note: the NTLM here refers to all versions of the LAN Manager security package: LM, NTLM, and NTLMv2.

Thanks to this, IT administrators can proactively prevent Windows from providing NTLM through SMB. As a result, even if an attacker succeeds in deceiving a user or application into sending a NTLM response to a malicious server, it will not receive any NTLM data, nor will it be able to perform brute force cracking, password cracking, or password passing. This provides a higher level of protection for enterprises without completely disabling the NTLM feature in the operating system.

Administrators can configure this option using Group Policy and PowerShell. You can also use NET USE and PowerShell to block NTLM used in SMB connections as needed.

SMB standby client and server ports: previously, SMB only supported TCP / 445, QUIC / 443, and RDMA iWARP / 5445. The SMB client now supports an alternate network port that uses hard-coded defaults to connect to the SMB server through TCP, QUIC, or RDMA.

In addition, the SMB over QUIC server in Windows Server supports the configuration of different ports for different terminals. Windows Server does not support the configuration of standby SMB server TCP ports, but third parties such as Samba do.

Users can specify alternate SMB client ports using the NET USE command and New-SmbMapping PowerShell cmdlet, or they can disable this feature entirely using Group Policy.

QUIC-based SMB client access control certificate change: the SMB feature based on QUIC client access control, first announced in Windows 11 Insider Preview Build 25977, now supports the use of certificates with alternate names for consumers, not just individual consumers.

This means that the client access control feature now supports the use of Microsoft AD certificate authorities and multiple endpoint names, just like the currently released QUIC-based version of SMB. You can now evaluate this feature using the recommended options without requiring a self-signed test certificate.

Available for download: Windows Server LTSC preview in ISO format in 18 languages, and VHDX format in English only.

Windows Server Datacenter Azure preview version in ISO and VHDX format, in English only.

Preview of Microsoft server language and optional features

Key is only valid for preview version: server standard: MFY9F-XBN2F-TYFMP-CCV49-RMYVH

Data Center: 2KNJJ-33Y9H-2GXGX-KMQWH-G6H67

The Azure version does not accept keys.

Microsoft also pointed out that the preview version will expire on September 15, 2024. Netizens who need it can click here to download the image and update the log address: here.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.