Heya folks, Ned here again. Starting in Windows 11 Insider Preview Build 25276, the Pro editions of Windows now disable SMB insecure guest authentication fallbacks by default.
Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000. The change in Windows 10 was to additionally prevent SMB 2 and 3 to fallback to guest after a bad password when a server requests it.
If your legitimate remote storage device requires guest - typically a consumer or small business NAS - you will now see one of the following errors when connecting from Window 11 Insider Pro over SMB:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.Error code: 0x80070035The network path was not found.Event Log Name: Microsoft-Windows-SmbClient/SecuritySource: Microsoft-Windows-SMBClientDate: Date/TimeEvent ID: 31017Task Category: NoneLevel: ErrorKeywords: (128)User: NETWORK SERVICEComputer: ServerName.contoso.comDescription: Rejected an insecure guest logon.User name: NedServer name: ServerName
The recommended solution when seeing these errors is to configure the remote device to stop requiring guest authentication. It will be a third-party device, not Windows, so you'll need to locate their documentation and possibly update or replace the device. If your device allows guest access, any device or person on your network can read or copy all of your shared data without any audit trail or credentials.
If you can't configure your third-party device to be secure or need to temporarily allow access in order to migrate data to safe device, you can enable insecure guest access using the steps in Guest access in SMB2 and SMB3 is disabled.
You should not enable SMB1 as a workaround; that protocol has numerous security vulnerabilities and it disabled by default in all versions of Windows. The insecure guest authentication protection does not apply to SMB1.
This change is part of our march towards greater default Windows security and brings Pro behavior in line with Windows 10 and Windows 11 Enterprise and Education, where this took effect years ago. At the next major release of Windows 11 Pro, this will be the default.
Until next time,
Ned Pyle
Source:
SMB insecure guest auth now off by default in Windows Insider Pro editions
Insecure guest auth for SMB 2 and 3 is now off by default in Windows Insider Pro editions just like Windows 10 and Windows 11 Enterprise and Education editions
techcommunity.microsoft.com
