Microsoft wants to bulk up the security in Windows Pro editions by ensuring the SMB insecure guest authentication fallbacks are no longer the default setting in the operating system.
The move, which is included in the Windows 11 Insider Preview Build 25276 released this month, means that systems with Windows 10 version 1709 or later and Windows Server 2019, SMB2, and SMB3 will no longer allow by default guest account access to a remote server or for those who provide invalid credentials to fall back to the guest account.
This brings Windows Pro editions in line with the stronger security in Enterprise and Education editions, which stopped allowing the default setting since Windows 10, according to the enterprise software maker.
A key problem is that guest logons don’t require passwords and don’t support basic security features like signing and encryption, Ned Pyle, principal program manager at Microsoft, wrote in a blog post.
“Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios – for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it’s a legitimate one,” Pyle wrote. “The attacker doesn’t need to know the user’s credentials and a bad password is ignored. Only third-party remote devices might require guest access by default.”
In another blog post, Microsoft wrote that Windows client and Windows Server haven’t allowed guest access or remote users to connect as guest or anonymous users since Windows 2000. Only third-party remote devices may require guest access by default, but systems running Windows don’t.
That said, Microsoft is urging users not to go back to allowing guest access as a default. If a remote device is configured to use guest credentials, the process should be for an administrator to disable guest access to the device and configure the correct authentication and authorization.
If a remote storage device needs guest access to a system like a small business NAS, the user will see one of a number of error messages when connecting from Windows 11 Insider Pro over SMB, including:
- You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
- Error code: 0x80070035
- The network path was not found.
Anyone seeing these error messages will need to configure the remote device to require a username and password for SMB connections so it no longer needs guest authentication. If the device can’t be configured to meet the new requirements or needs temporary access to migrate data to a safe devices, steps to enable insecure guest access in SMB2 and SMB3 can be found here.
Pyle also wrote that users should not use SMB1 as a workaround because of the various security issues with that protocol, which has been disabled by default in all versions of Windows. The latest protection against insecure guest authorization doesn’t apply to SMB1.®