SMB insecure guest auth now off by default in Windows 11 Insider Pro editions

Topic

New Reply

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-insecure-guest-auth-now-off-by-default-in-windows-insider/ba-p/3715014

Heya folks, Ned here again. Starting in Windows 11 Insider Preview Build 25276, the Pro editions of Windows now disable SMB insecure guest authentication fallbacks by default.

Guest logons don’t require passwords & don’t support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios – for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it’s a legitimate one. The attacker doesn’t need to know the user’s credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven’t allowed the general use of guest in server scenarios since Windows 2000. The change in Windows 10 was to additionally prevent SMB 2 and 3 to fallback to guest after a bad password when a server requests it.

If your legitimate remote storage device requires guest – typically a consumer or small business NAS – you will now see one of the following errors when connecting from Window 11 Insider Pro over SMB:

You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

Error code: 0x80070035

The network path was not found…..

1 user thanked author for this post.

Cybertooth

Reply | Quote