Windows 11 Pro in 2023: SMB insecure guest authentication fallbacks disabled
Microsoft's work on improving security in Windows 11 and introducing features of Windows 10 in the latest version of Windows continues in 2023.
Yesterday, Windows Server engineering group Principal Program Manager Ned Pyle published an announcement on the Microsoft Tech Community website regarding the disabling SMB insecure guest authentication fallbacks in Windows 11 Pro.
Microsoft made the change "years ago" in Windows 11 Enterprise and Education, and on Windows 10, and is introducing the change in the next major release of Windows 11 Pro.
Microsoft landed the change in Windows 10 version 1709 Enterprise and Education, and Windows Server 2019 initially. SMB2 and SMB3 clients do not allow guest account access to remote servers and guest account fallbacks after invalid credentials have been provided after the change landed on the systems.
Windows 10 Home and Pro editions have guest authentication enabled by default. The latest Insider build for Windows 10 Pro editions "no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials".
The following error messages may be returned when trying to connect to devices that request guest credentials:
"You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network."
"Error code: 0x80070035
The network path was not found."
Guest logins do not support standard security features such as signing or encryption, and they do not require passwords. Allowing clients to use guest logins may "the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios" according to Pyle.
Microsoft disabled guest in server scenarios since Windows 2000, but third-party remote devices may require guest access by default.
Pyle recommends changing the third-party device's configuration so that it does not request guest authentication. Microsoft recommends configuring the third-party device to require a username and password for SMB connections.
A temporary workaround is provided for situations in which guest access is required. Administrators find information on this support page.
@Martin: When I see what have become Ghack since few weeks I think you should start a new tech website/blog.
It’s really sad, capitalism destroy everything useful to try to make a few bucks :( .
There are probably some tech news sits with socialist or communist angles. Go there.
There are so many new articles that I can’t barely remember which ones I have read. ._.
Darn! And here I thought Shaun would be all over this one. :p