Blog Post

Storage at Microsoft
3 MIN READ

SMB insecure guest auth now off by default in Windows Insider Pro editions

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
Jan 13, 2023

Heya folks, Ned here again. Starting in Windows 11 Insider Preview Build 25276, the Pro editions of Windows now disable SMB insecure guest authentication fallbacks by default. We previously turned it off by default in Windows 10 and Windows 11 Enterprise and Education editions, you can read more about that in Guest access in SMB2 and SMB3 is disabled.

 

Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000. The change in Windows 10 was to additionally prevent SMB 2 and 3 to fallback to guest after a bad password when a server requests it.

 

If your legitimate remote storage device requires guest - typically a consumer or small business NAS - you will now see one of the following errors when connecting from Window 11 Insider Pro over SMB: 

 

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

 

Error code: 0x80070035


The network path was not found.

 

Event Log Name: Microsoft-Windows-SmbClient/Security

Source: Microsoft-Windows-SMBClient
Date: Date/Time
Event ID: 31017
Task Category: None
Level: Error
Keywords: (128)
User: NETWORK SERVICE
Computer: ServerName.contoso.com
Description: Rejected an insecure guest logon.
User name: Ned
Server name: ServerName

 

The recommended solution when seeing these errors is to configure the remote device to stop requiring guest authentication. It will be a third-party device, not Windows, so you'll need to locate their documentation and possibly update or replace the device.  If your device allows guest access, any device or person on your network can read or copy all of your shared data without any audit trail or credentials. 

 

If you can't configure your third-party device to be secure or need to temporarily allow access in order to migrate data to safe device, you can enable insecure guest access using the steps in Guest access in SMB2 and SMB3 is disabled.

 

You should not enable SMB1 as a workaround; that protocol has numerous security vulnerabilities and it disabled by default in all versions of Windows. The insecure guest authentication protection does not apply to SMB1.

 

Important: SMB signing (and encryption) are incompatible with guest access. You cannot create a signing or encryption session key from an account that has no password, after all. For example, if you try to use connect to a 3rd party device with guest access while SMB signing is required, you will receive: "System error 3227320323 has occurred." To resolve this error, don't use guest access (recommended) or turn off SMB signing (not recommended). 

 

Final Notes

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

 

 

For more information on securing SMB on Windows in-market, check out:

 

 

Until next time,

 

Ned Pyle

Updated Jul 02, 2024
Version 6.0
  • Thanks Ned , finally!  There are still people who loves  smb1 😞 and should be disabled by default and kept disabled.

     

  • ori2sh's avatar
    ori2sh
    Copper Contributor

    Thanks for the info, I was wondering if there is an audit event that indicates usage of insecure guest logon.

    The event described in the article is an indication after the operation is blocked: Description: Rejected an insecure guest logon.

    I was wondering if there is an event id that can trace successful insecure guest logon as well.

     

     

  • Hi ori2sh. Sorry no, we just have rejected event 31017 and an event for when someone has turned on guest auth.

     

    Log Name: Microsoft-Windows-SmbClient/Security
    Source: Microsoft-Windows-SMBClient
    Date: Date/Time
    Event ID: 31018
    Task Category: None
    Level: Warning
    Keywords: (128)
    User: NETWORK SERVICE
    Computer: ServerName.contoso.com
    Description: The AllowInsecureGuestAuth registry value is not configured with default settings.

    Default registry value:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth"=dword:0

    Configured registry value:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth"=dword:1

     

    If you have enabled guest auth and want to know when it's actually happening, you'll need to look at network traces from the client. It's not a bad idea to add more auditing here, I'll think about it for a future release.

  • ori2sh's avatar
    ori2sh
    Copper Contributor

    Hi NedPyle ,

     

    Thank you for you response, it would be great to know if there is an actual usage before we break applications or processes (so we can ask application owners to fix that behavior before we enforce the policy).

     

    Thanks,

    Orit.

  • I chatted about this with my partner dev yesterday, I think we'll put it on the roadmap. 

     

    I can say that only third parties on the server-side will be asking for guest auth fallback. Windows stopped allowing it in Windows 2000. So the scenario likely only affects a non-Windows device and only when it's connected to. Historically that's a consumer NAS...

  • ori2sh's avatar
    ori2sh
    Copper Contributor

    NedPyle 

    Thank you, I really appreciate that!

    I agree that most likely it is a non-Windows machine or some 3rd party legacy application.