A few months ago, we learned that Microsoft was significantly improving Server Message Block (SMB) authentication in Windows 11. At the time, the company enabled SMB authentication rate limiting by default to make it a less attractive attack surface for malicious actors. Now, it has announced another change to SMB authentication.
_story.jpg)
In a technical blog post, Microsoft principal program manager Ned Pyle said that Windows 11 Pro will soon begin disabling insecure SMB guest authentication fallbacks. In fact, recent internal preview builds 25267 and 25276 already implement this security enhancement.
Microsoft’s rationale for this change is that guest authentication does not support audit trails and security mechanisms such as signatures and certificates. As such, they are a very attractive attack vector for man-in-the-middle (MITM) attacks and can also be exploited in server scenarios. In the worst case, a malicious actor could use guest logins to gain read or copy access across your network and leave no audit trail.
It is important to note that since Windows 2000, guest logins are not allowed by default. Similarly, Windows 10 Education and Enterprise do not allow SMB2 and SMB3 to fall back on guest logins after incorrect password attempts. Interestingly, while Windows 11 Pro Insider disables guest authentication by default, Windows 10 Pro does not.
Microsoft says That the only scenario where you would request guest access would be through an authorized third-party remote storage device. However, you will not encounter errors while trying to do this in Windows 11 Pro. The solution is to search the remote device’s documentation and find out how to prevent the need for guest authentication. If this is not possible, you can temporarily. Enable SMB2 or SMB3 guest fallback to allow access.. However, SMB1 should not be used due to security vulnerabilities in legacy protocols.
Microsoft mentions that this behavior is enabled by default in recent Windows 11 Pro Insider builds, and that it will generally be available in the “next major release” of the operating system. While the move looks like a major plan to make Windows more secure, the Redmond tech company also plans to phase out the Microsoft Support Diagnostic Tool (MSDT) in a few years.
