A few months ago, we learned that Microsoft is significantly improving Server Message Block (SMB) authentication in Windows 11. At that time, the company enabled SMB authentication rate limiter by default to make it a less attractive attack surface for malicious actors. Now, it has announced another change to SMB authentication.
In a technical blog post, Microsoft's Principal Program Manager Ned Pyle has stated that Windows 11 Pro will soon start disabling insecure SMB guest authentication fallbacks. In fact, recent Insider Preview builds 25267 and 25276 have already implemented this security enhancement.
Microsoft's rationale for this change is that guest authentication does not support audit trails and security mechanisms such as signing and certificates. As such, they are a very enticing attack vector for man-in-the-middle (MITM) attacks and can even be leveraged in server scenarios. In the worst case, a malicious actor could use guest logon to get read or copy access over your entire network and would not leave any audit trail.
It is important to note that guest logons have not been allowed by default since Windows 2000. Similarly, Windows 10 Education and Enterprise do not allow SMB2 and SMB3 to fallback to guest logon after incorrect password attempts. Interestingly though, while Windows 11 Pro Insider builds disable guest authentication by default, Windows 10 Pro does not.
Microsoft says that the only scenario where you would request guest access would be through a legitimate third-party remote storage device. However, you'll not encounter errors while attempting to do so in Windows 11 Pro. The workaround is to dig around for the remote device's documentation and figure out how to stop requiring guest authentication. If this is not possible, you can temporarily enable SMB2 or SMB3 guest fallback to allow access. However, SMB1 should not be used due to the security vulnerabilities present in the legacy protocol.
Microsoft has mentioned that this behavior is enabled by default in recent Windows 11 Pro Insider builds by default, and that it will become generally available in the "next major release" of the operating system. The move seems like a larger plan to make Windows more secure, with the Redmond tech giant also planning to kill off the Microsoft Support Diagnostic Tool (MSDT) in a couple of years too.
9 Comments - Add comment