Heya folks, Ned here again. Starting in Windows 11 Insider Preview Build 25276, the Pro editions of Windows now disable SMB insecure guest authentication fallbacks by default. We previously turned it off by default in Windows 10 and Windows 11 Enterprise and Education editions, you can read more about that in Guest access in SMB2 and SMB3 is disabled.
Guest logons don't require passwords & don't support standard security features like signing and encryption. Allowing a client to use guest logons makes the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios - for instance, a phishing attack that tricks a user into opening a file on a remote share or a spoofed server that tricks a client into thinking it's a legitimate one. The attacker doesn't need to know the user's credentials and a bad password is ignored. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems haven't allowed the general use of guest in server scenarios since Windows 2000. The change in Windows 10 was to additionally prevent SMB 2 and 3 to fallback to guest after a bad password when a server requests it.
If your legitimate remote storage device requires guest - typically a consumer or small business NAS - you will now see one of the following errors when connecting from Window 11 Insider Pro over SMB:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
Error code: 0x80070035
The network path was not found.
Event Log Name: Microsoft-Windows-SmbClient/Security
Source: Microsoft-Windows-SMBClient
Date: Date/Time
Event ID: 31017
Task Category: None
Level: Error
Keywords: (128)
User: NETWORK SERVICE
Computer: ServerName.contoso.com
Description: Rejected an insecure guest logon.
User name: Ned
Server name: ServerName
The recommended solution when seeing these errors is to configure the remote device to stop requiring guest authentication. It will be a third-party device, not Windows, so you'll need to locate their documentation and possibly update or replace the device. If your device allows guest access, any device or person on your network can read or copy all of your shared data without any audit trail or credentials.
If you can't configure your third-party device to be secure or need to temporarily allow access in order to migrate data to safe device, you can enable insecure guest access using the steps in Guest access in SMB2 and SMB3 is disabled.
You should not enable SMB1 as a workaround; that protocol has numerous security vulnerabilities and it disabled by default in all versions of Windows. The insecure guest authentication protection does not apply to SMB1.
Important: SMB signing (and encryption) are incompatible with guest access. You cannot create a signing or encryption session key from an account that has no password, after all. For example, if you try to use connect to a 3rd party device with guest access while SMB signing is required, you will receive: "System error 3227320323 has occurred." To resolve this error, don't use guest access (recommended) or turn off SMB signing (not recommended).
Final Notes
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
Ned Pyle