Jump to content

SMB insecure guest auth now off by default in Windows Insider Pro editions


Recommended Posts

Guest Ned Pyle
Posted

Heya folks, Ned here again. Starting in Windows 11 Insider Preview Build 25276, the Pro editions of Windows now disable SMB insecure guest authentication fallbacks by default.

 

 

 

Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000. The change in Windows 10 was to additionally prevent SMB 2 and 3 to fallback to guest after a bad password when a server requests it.

 

 

 

If your legitimate remote storage device requires guest - typically a consumer or small business NAS - you will now see one of the following errors when connecting from Window 11 Insider Pro over SMB:

 

 

 

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

 

 

Error code: 0x80070035

 

The network path was not found.

 

 

Event Log Name: Microsoft-Windows-SmbClient/Security

 

Source: Microsoft-Windows-SMBClient

Date: Date/Time

Event ID: 31017

Task Category: None

Level: Error

Keywords: (128)

User: NETWORK SERVICE

Computer: ServerName.contoso.com

Description: Rejected an insecure guest logon.

User name: Ned

Server name: ServerName

 

 

 

The recommended solution when seeing these errors is to configure the remote device to stop requiring guest authentication. It will be a third-party device, not Windows, so you'll need to locate their documentation and possibly update or replace the device. If your device allows guest access, any device or person on your network can read or copy all of your shared data without any audit trail or credentials.

 

 

 

If you can't configure your third-party device to be secure or need to temporarily allow access in order to migrate data to safe device, you can enable insecure guest access using the steps in Guest access in SMB2 and SMB3 is disabled.

 

 

 

You should not enable SMB1 as a workaround; that protocol has numerous security vulnerabilities and it disabled by default in all versions of Windows. The insecure guest authentication protection does not apply to SMB1.

 

 

 

This change is part of our march towards greater default Windows security and brings Pro behavior in line with Windows 10 and Windows 11 Enterprise and Education, where this took effect years ago. At the next major release of Windows 11 Pro, this will be the default.

 

 

 

Until next time,

 

 

 

Ned Pyle

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...