Microsoft to Block SMB Guest Authentication By Default in Windows 11 Pro

Windows 11 2022 Update

Microsoft is planning to disable insecure SMB (Server Message Block) guest authentication fallbacks by default in Windows 11 Pro. The company has announced that this security improvement is already included in the Windows 11 Insider Preview Build 25276 released this month

According to Microsoft, the guest authentication method doesn’t provide support for inspection trails and other security mechanisms like certificates and signing. This makes it easier for attackers to exploit the flaws through man-in-the-middle attacks and gain access to enterprise networks. Moreover, attackers could abuse the guest authentication feature to get read or copy access over the entire network.

Notably, the guest access feature has been disabled by default in the operating system since Windows 2000. Moreover, PCs running Windows 10 Education and Enterprise editions prevent SMB2 and SMB3 from fallback to guest authentication due to invalid login attempts. However, Microsoft notes that only a legitimate third-party remote device may require guest access by default.

Microsoft plans to disable default guest access for network shares in the next major release of Windows 11

Microsoft notes that users with network-attached storage (NAS) using the guest authentication access will see the following error in future versions of Windows 11 Pro. “You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.” Users might also encounter the “0x80070035” and “The network path was not found” errors.

“The recommended solution when seeing these errors is to configure the remote device to stop requiring guest authentication. It will be a third-party device, not Windows, so you’ll need to locate their documentation and possibly update or replace the device. If your device allows guest access, any device or person on your network can read or copy all of your shared data without any audit trail or credentials,” said Ned Pyle, Principal Program Manager at Microsoft.

Overall, this move is a part of Microsoft’s ongoing efforts to improve the security of its Windows operating system. The company expects to roll out the new default setting to all customers in the next major release of Windows 11.