Windows 10: Windows 11 Pro in 2023: SMB insecure guest authentication fallbacks disabled

Microsoft's work on improving security in Windows 11 and introducing features of Windows 10 in the latest version of Windows continues in 2023.



Yesterday, Windows Server engineering group Principal Program Manager Ned Pyle published an announcement on the Microsoft Tech Community website regarding the disabling SMB insecure guest authentication fallbacks in Windows 11 Pro.

Microsoft made the change "years ago" in Windows 11 Enterprise and Education, and on Windows 10, and is introducing the change in the next major release of Windows 11 Pro.

Microsoft landed the change in Windows 10 version 1709 Enterprise and Education, and Windows Server 2019 initially. SMB2 and SMB3 clients do not allow guest account access to remote servers and guest account fallbacks after invalid credentials have been provided after the change landed on the systems.

Windows 10 Home and Pro editions have guest authentication enabled by default. The latest Insider build for Windows 10 Pro editions "no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials".

The following error messages may be returned when trying to connect to devices that request guest credentials:

"You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network."

"Error code: 0x80070035
The network path was not found."
​

Guest logins do not support standard security features such as signing or encryption, and they do not require passwords. Allowing clients to use guest logins may "the user vulnerable to attacker-in-the-middle scenarios or malicious server scenarios" according to Pyle.

Microsoft disabled guest in server scenarios since Windows 2000, but third-party remote devices may require guest access by default.

Pyle recommends changing the third-party device's configuration so that it does not request guest authentication. Microsoft recommends configuring the third-party device to require a username and password for SMB connections.

A temporary workaround is provided for situations in which guest access is required. Administrators find information on this support page.

Thank you for being a Ghacks reader. The post Windows 11 Pro in 2023: SMB insecure guest authentication fallbacks disabled appeared first on gHacks Technology News.

read more...

 

Force Windows use guest account with SMB v2

I have been testing an anonymous shared folder on my Synology NAS, which my laptop (Windows 10 Pro) can access with guest account.

I thought it was due to the configuration (default or explicit for Windows 10 Pro), but it was largely because the NAS SMB service was limited to v1. Once I raised the protocol to v2, my Windows laptop cannot connect with guest account regardless of the
administrative template policy

Computer configuration\administrative templates\network\Lanman Workstation > Enable insecure guest logons

Guest access in SMB2 and SMB3 is disabled - Windows Server

What other extra configuration am I missing to let guest account credential flow through successfully?

 

I'm online from my wifi laptop but can't connect to my home network

Glad you found it. I assume only some are affected by this.

The policy is described thus:
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.

If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons.

If you disable this policy setting, the SMB client will reject insecure guest logons.

Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access."

It is called "Enable Insecure guest logons"
and

- so you would either enable it or not configure it.

(I found mine to be enabled).

 

Is Enabling Insecure Guest Logons Okay?

If you are the only one using it then there is no reason to use a public share. A public share is for being able to access a share from numerous PCs without authentication (and you are not able to provide everyone with a user/password access to the NAS).
That means if someone hacks your router (which they do by the millions) or intrude in your network/PC by other means they can access this public share (no matter what you set in Windows). If you use it from "outside" your network (as they mention "Cloud")
you should definitely not use a Public share.

You should be able to move the files to the private share area or to expand the private share area to it. No? I don't know how their devices work.

Also note, that "enable insecure guest logons" is not the same as enabling the guest account in Windows as the IA seems to think. It is *not* for allowing unauthenticated access to your (usually disabled) guest account in your Windows system!

This setting tells the client (your PC) that it can try an insecure unauthenticated login at *another* server (your NAS). That's all. And, as I said, it should be "enabled" by default as "not configured" means "enabled".