Microsoft is fortifying Windows 11 by introducing support for Network-designated Resolvers (DNR) and Server Message Block (SMB) client encryption mandates, paving the way for enhanced network interactions.
The Server Message Block (SMB)
Server Message Block (SMB) plays a pivotal role in buttressing advanced network security in Windows 11. Earlier, in May, Microsoft transitioned SMB signing in as a default function in the Windows Enterprise version. Additionally, they dispensed some insights on the SMB authentication methodology in June. The tech giant’s latest announcement reveals its commitment to furthering support for Server Message Block (SMB) client encryption mandates along with Network-designated Resolvers (DNR) in Windows 11.
In the latest Windows 11 Canary build 25982, released just recently, we see the inaugural inclusion of the Server Message Block client encryption mandate. The purpose of SMB encryption is to offer uncompromised security during data exchanges over networks. This encryption technique made its debut with SMB 3.0 in Windows 8 and Windows Server 2012, and subsequent versions amplified its capabilities, integrating advanced cryptographic suites like AES-GCM and AES-256-GCM.
These state-of-the-art upgrades allow IT administrators to fine-tune client systems to necessitate the use of Server Message Block encryption from the target server. So, in scenarios where SMB 3.x isn’t accessible or encryption hasn’t been set up, the client device possesses the discretion to decline the connection, bolstering the overall network protection. Microsoft has also provided a comprehensive guide for IT professionals to set up this feature, available either through Group Policy or PowerShell.
While this addition is noteworthy, Microsoft has highlighted the need to strike a balance between performance and compatibility. Users might opt for mere SMB signing for a slight dip in security but a boost in performance. However, activating SMB encryption offers paramount security, making it the prime choice and overriding the functions of SMB signing.
Another significant upgrade in Windows 11 Canary build 25982 is the DNR support. This is a progressive standard, proposed by the Internet Engineering Task Force (IETF), designed to simplify the discovery of encrypted DNS servers. Traditionally, client devices had to manually locate the IP of their desired encrypted DNS server. DNR streamlines this process, capitalizing on encrypted protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT).
The DNR system is intricate but efficient. When a device with DNR attempts to connect to a fresh network, it communicates with the DHCP server, requesting an IP address and other DNR-specific parameters. The DHCP server, already DNR-equipped, responds with the necessary details, including the encrypted DNS server’s IP, supported encrypted protocols, ports, and authentication credentials. This allows the client device to effortlessly connect to the encrypted DNS server, sidelining the need for manual configurations.
For those eager to harness the potential of DNR on Windows 11 Canary, Microsoft has provided a detailed guide. It’s worth noting, however, that DNR doesn’t support IPv6 RA Encrypted DNS presently. It’s also crucial to remember that these innovations – both Server Message Block (SMB) client encryption mandates and DNR support – are still undergoing trials in Insider Preview builds, and an official release date remains under wraps.