Microsoft details workaround for "old unsafe" guest access after making SMB signing default

Earlier this month, Microsoft made Server Message Block (SMB) signing mandatory by default on all connections in order to improve the security of Windows and Windows Servers. The company, in a separate blog post, explained in more detail about the change. This was part of an ongoing effort from the Redmond giant, something which began last year. As a consequence of the change, guest access is also not possible, something that has been deemed "old unsafe" behavior as there is no way for validation.

Today, Ned Pyle, who is a Principal Program Manager in the Windows Server engineering group, published a new Tech Community blog post discussing the issue of guest authentication and workarounds for it.

When one tries guest access, they will be greeted by one of two of these messages:

  • You can"t access this shared folder because your organization"s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
  • Error code: 0x80070035
    The network path was not found.

Pyle adds that the only to truly fix this is to stop using guest credentials as there is no way around the change. Hence, it is not really a "fix" and more like an acceptance. They explain:

Fix

The Microsoft recommended fix is to stop accessing your third-party devices using guest credentials. Anyone - anyone - who can see that device can access all your data without any password or audit trail. Device makers configure guest access so they won"t have to deal with their customers forgetting their passwords or require a more complex setup process. These are unsafe places to store your personal or professional life. Many of these devices do have the ability to configure a username and password - consult your vendor docs. Others might have the ability with a software upgrade. And others might just be unsafe - for those, you should replace them with a trustworthy product and move all your data off the old device, ensure you wipe its drives clean, then recycle it.

However, in case there is no way for access outside of guest authentication, then one has to disable the requirement for SMB singing, but this will expectedly lead to a more vulnerable environment. In the workaround section quoted below, Ned Pyle has laid out all the ways to disable default SMB signing:

Workaround

If you cannot disable the use of guest for your third party, you must disable the requirement of SMB signing. Obviously, this means that now not only are you using guest access, but you"re also preventing your client from guaranteeing signing to a trusted device. That"s why this is just a workaround, and we don"t recommend it.

You can disable the SMB signing requirement three ways:

Graphical (local group policy on one device)

  1. Open the Local Group Policy Editor (gpedit.msc) on your Windows device.
  2. In the console tree, select Computer Configuration > Windows Settings > Security Settings> Local Policies > Security Options.
  3. Double-click Microsoft network client: Digitally sign communications (always).
  4. Select Disabled > OK.

Command-line (PowerShell on one device)

  1. Open an administrator-elevated PowerShell console.
  2. Run: Set-SmbClientConfiguration -RequireSecuritySignature $false

Domain-based group policy (on IT-managed fleets)

  1. Locate the security policy applying this setting to your Windows devices (you can use GPRESULT /H on a client to generate a resultant set of policy report to show which group policy is requiring SMB signing.
  2. In GPMC.MSC, change the Computer Configuration > Policies > Windows Settings > Security Settings> Local Policies > Security Options.
  3. Set Microsoft network client: Digitally sign communications (always) to Disabled.
  4. Apply the updated policy to Windows devices needing guest access over SMB.

You can view the official blog post on the Tech Community blog post on Microsoft"s site.

Report a problem with article
Next Article

NVIDIA GeForce 536.23 WHQL graphics driver adds F1 23 and Aliens: Dark Descent support

Previous Article

Vodafone and Three agree to merger in the UK