Windows 11 Pro will soon disable insecure SMB guest authentication by default

Microsoft is significantly improving Server Message Block (SMB) authentication in Windows 11. At the time, the company enabled the SMB authentication rate limiter by default to make it less attractive to malicious actors. Now, it has announced another change to SMB authentication.

Windows 11 Pro will soon start disabling the insecure SMB guest authentication fallback, Ned Pyle, principal program manager at Microsoft, said. In fact, recent Insider Preview builds 25267 and 25276 have already implemented this security enhancement.

Microsoft's rationale for this change is that guest authentication does not support audit trails and security mechanisms such as signatures and certificates. As such, they are a very tempting attack vector for man-in-the-middle (MITM) attacks, which can even be exploited in server scenarios. In the worst-case scenario, a malicious actor could use a guest login to gain read or copy access to the entire network without leaving any audit trail.

It is important to note that since Windows 2000, guest logins are not allowed by default. Likewise, Windows 10 Education and Enterprise editions do not allow SMB2 and SMB3 to fall back to guest login after an incorrect password attempt. Interestingly, while Windows 11 Pro Insider builds have guest authentication disabled by default, Windows 10 Pro does not.

Microsoft says the only time you request guest access is through a legitimate third-party remote storage device. However, you don't encounter the error when trying to do this in Windows 11 Pro. The solution is to dig into the remote device's documentation and figure out how to stop requiring guest authentication. If this is not possible, you can temporarily enable SMB2 or SMB3 guest fallback to allow access. However, SMB1 should not be used due to security holes in the older protocol.

Microsoft has mentioned that this behavior is enabled by default in recent Windows 11 Pro Insider builds, and that it will be generally available in the "next major version" of the operating system. In what appears to be a larger plan to make Windows more secure, the Redmond tech giant also plans to retire the Microsoft Support Diagnostic Tool (MSDT) within a few years.

The above is the detailed content of Windows 11 Pro will soon disable insecure SMB guest authentication by default. For more information, please follow other related articles on the PHP Chinese website!