Only passwords, only hardcore!
Microsoft wants to increase the security of Windows in the Pro editions by disabling guest access via the SMB protocol. The change is seen in Windows 11 Insider Preview Build 25276 released this month.
A few years ago, Microsoft forcibly disabled the SMB1 protocol in recent versions of Windows, which caused inconvenience to many users. Now the changes concern the SMB2 and SMB3 protocols. They will continue to work, but guest access for them will be disabled by default, which means that you can only log in with a password. At the same time, the guest access option has not been completely removed from the system, it can be turned on if necessary. However, Microsoft itself does not recommend doing this.
"The key issue is that guest access does not require passwords and does not support basic security features," Ned Pyle, Microsoft's chief program manager, wrote in a blog post.
“Guest access leaves the user vulnerable to Man-in-the-Middle (MITM) or malicious server scenarios where a phishing attack tricks the user into opening a malicious file on a remote share,” Pyle added.
If a remote storage device (NAS) requires guest access to the system, the user will see one of the following errors when connecting via SMB:
- You can't access this share because your organization's security policies block unauthenticated guest access. These policies help protect your computer from unsafe or malicious devices on the network.
- Error code: 0x80070035
- The network path was not found.
Microsoft recommends that anyone who sees these messages should set up password access for this network device. And if the device cannot be configured according to the new requirements, or it needs guest access temporarily, the official instructions for enabling guest access in SMB2 and SMB3 can be found here.
Ned Pyle also wrote that users should not activate SMB1 to bypass the new restrictions. After all, this outdated protocol has even more security problems.