Software

OSes

Windows 11 24H2 might call time on that old NAS under the stairs

Avoidance of evil intent means required SMB signing and no more guest fallback


Microsoft's Ned Pyle has issued a warning to Windows 11 24H2 users. Security has been tightened up, so attempting to access some third-party Network Attached Storage (NAS) devices or a USB drive plugged into certain routers might fail.

Pyle, a principal program manager, has long been an advocate for driving a stake into the dark heart of earlier incarnations of the Server Message Block (SMB) protocol. For example, SMB1 is over 40 years old, and Pyle warned of its impending demise in 2022.

Windows 11 24H2 will take things further. According to Pyle, two changes have been made: SMB signing is now required by default on all connections, and guest fallback has been disabled on the Windows 11 Pro edition. The former prevents tampering on the network, while the latter improves security when connecting to an SMB server.

Pyle explains that Guest has been disabled because it lets the user connect to an SMB server with no username or password. While this state of affairs might be convenient for the maker of a NAS, as Pyle warns, "It means that your device can be tricked into connecting to a malicious server without prompting for credentials, then given ransomware or having your data stolen."

It has taken a while to get to this point. The Microsoft veteran noted that SMB signing had been available in Windows for 30 years, but its requirement by default on all connections was new. Similarly, Guest has been disabled in Windows for 25 years, and according to Pyle, SMB guest fallback has been disabled since Windows 10 in Enterprise, Education, and Pro for Workstation editions.

He said: "Both changes will make billions of devices more secure."

While the changes have been in the Windows Insider Dev and Canary builds for a year, some users excitedly upgrading to Windows 11 24H2 could get caught out.

Pyle explained: "There's one unavoidable consequence, though: we don't know when someone intended to be unsafe."

The changes mean that Windows won't know if an evil server is trying to do something horrid or if the user is simply trying to access some holiday snaps on an old NAS.

Either way, Windows 11 will respond with various error messages ranging from the helpful – "You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network" – to the downright obscure – "System error 3227320323 has occurred."

It is possible to turn off the changes, thereby making Windows less secure but regaining access to a device deemed unsafe. However, Pyle recommends upgrading the device, either through a software or firmware update or by replacing it.

Where a setting change, update, or replacement isn't an option, Microsoft is keen to name and shame.

Pyle said: "If you have a third party NAS device that doesn't support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share with the world and perhaps get the vendor to fix it with an update." ®

Send us news
76 Comments

Google: We're still working to defeat Microsoft's 'anticompetitive' cloud policy

Yesterday's settlement between MS and Euro cloud providers shouldn't 'fool' you, says Alphabet arm's cloud boss

Microsoft avoids formal antitrust EC probe over abusive licensing claims by settling case with CISPE

Pays 'lump sum,' setting up new Azure Stack for hosters and more but some concerned about the private deal

Microsoft exits OpenAI's boardroom to sidestep regulatory scrutiny

Redmond 'confident in the company's direction' says withdrawal letter

Critical Windows licensing bugs – plus two others under attack – top Patch Tuesday

Citrix, SAP also deserve your attention – because miscreants are already thinking about Exploit Wednesday

Microsoft China staff can't log on with an Android, so Redmond buys them iThings

Google's absence creates software distribution issues not even mighty Microsoft can handle

Coders' Copilot code-copying copyright claims crumble against GitHub, Microsoft

A few devs versus the powerful forces of Redmond – who did you think was going to win?

Microsoft tries to clear the air with mountains of CO<sub>2</sub> credits

'Supply chains still powered by coal and gas' scoffs Greenpeace

Microsoft Stores all close their doors in China

Slump in Surface sales suspected as one reason for move online

Microsoft ad subsidiary Xandr accused of violating GDPR

Access, deletion requests go ignored, and consumer profiles contradict themselves, complaint alleges

Microsoft forgets about SwiftKey's support site

Injecting Copilot branding will not make TLS certificates auto-renew

Big Tech's eventual response to my LLM-crasher bug report was dire

Fixes have been made, it appears, but disclosure or discussion is invisible

Users rage as Microsoft announces retirement of Office 365 connectors within Teams

Expletives fly as admins deal with recommendation to move to Power Automate workflows