SMB firewall rule changes in Windows Insider

Heya folks, Ned here again. Starting with Windows 11 Insider preview Build 25992 (Canary), creating shares changes a longtime Windows Defender default behavior.

Before

Previously, creating a share automatically configured the to enable the rules in the “File and Printer Sharing” group for the given profiles. This began in Windows XP SP2 with the introduction of the then-new built in firewall, and the rule was designed for both SMB1 and ease of deployment of a wide array of -using technology, including printing, legacy , and others.

Now

Windows now automatically configures the new “File and Printer Sharing (Restrictive)” group when you create an share, which no longer contains inbound NetBIOS ports 137-139. Those ports are not used by SMB2 or later and are an artifact of SMB1. If you reinstall SMB1 server for some legacy compatibility reason, you will need to ensure that those firewall ports are reopened.

Defender firewallDefender firewall

This change enforces a higher degree of default of security as well as bringing SMB firewall rules closer to the “File Server” role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the “File and Printer Sharing” group if necessary as well as modify this new firewall group, these are just default behaviors.

Final Note

We plan future updates for this rule to also remove inbound ICMP, LLMNR, and Spooler Service ports and restrict down to the SMB sharing-necessary ports only.

This is part of a campaign to improve the security of Windows and for the modern landscape. You've read my posts on SMB security changes over the past year:

For more information on securing SMB on Windows in-market, check out:

Ned Pyle

 

This article was originally published by Microsoft’s Server Storage at Microsoft Blog. You can find the original article here.