Starting with the latest Windows 11 preview build, creating new SMB file shares will no longer automatically add firewall rules for the outdated SMB1 protocol. Previously, since Windows XP SP2, making SMB shares would configure firewall rules in the “File and Printer Sharing” group. This included ports for the old SMB1.
On Windows 11, new shares will use the updated “File and Printer Sharing (Restrictive)” group instead. This leaves out the SMB1 NetBIOS ports 137-139 for better security. The change makes SMB firewall rules act more like the File Server role on Windows Server. However, admins can still modify the rules if needed.
Future updates plan to restrict this firewall group to only the necessary SMB ports. The SMB client also allows connecting to SMB servers over TCP, QUIC, or RDMA on custom ports, not just the default SMB ports, added Microsoft Principal Program Manager Ned Pyle in a separate blog post.
In summary, Windows 11 is locking down SMB firewall rules and removing outdated SMB1 artifacts for increased security. However, flexibility is still there to customize as needed.
Attempt To Make Windows more secure.
Here is a rewritten version of the text in a simpler, more conversational tone:
These SMB firewall changes are part of Microsoft’s big push to improve security in Windows and Windows Server.
Some other recent updates that are locking things down:
- Windows 11 preview builds let admins enforce SMB encryption for all outbound connections. This prevents eavesdropping and interception.
- Admins can block NTLM data over SMB to stop pass-the-hash, NTLM relay, and password-cracking attacks.
- SMB signing is now required by default to defend against NTLM relay attacks.
- SMB1 was fully disabled in Windows 11 Home to eliminate the outdated protocol.
- A rate limiter was added for failed SMB login attempts to prevent brute force attacks.
Microsoft has steadily enhanced SMB security with mandatory encryption, disabling risky protocols, and adding new protections. These changes harden SMBs against common attacks like interception, relaying credentials, and brute-forcing passwords.
The latest firewall tweak is part of this ongoing mission to modernize SMB and make it more secure across Windows devices.