Microsoft's Ned Pyle has issued a warning to Windows 11 24H2 users. Security has been tightened up, so attempting to access some third-party Network Attached Storage (NAS) devices or a USB drive plugged into certain routers might fail.

Pyle, a principal program manager, has long been an advocate for driving a stake into the dark heart of earlier incarnations of the Server Message Block (SMB) protocol. For example, SMB1 is over 40 years old, and Pyle warned of its impending demise in 2022.

Windows 11 24H2 will take things further. According to Pyle, two changes have been made: SMB signing is now required by default on all connections, and guest fallback has been disabled on the Windows 11 Pro edition. The former prevents tampering on the network, while the latter improves security when connecting to an SMB server.

Pyle explains that Guest has been disabled because it lets the user connect to an SMB server with no username or password. While this state of affairs might be convenient for the maker of a NAS, as Pyle warns, "It means that your device can be tricked into connecting to a malicious server without prompting for credentials, then given ransomware or having your data stolen."

It has taken a while to get to this point. The Microsoft veteran noted that SMB signing had been available in Windows for 30 years, but its requirement by default on all connections was new. Similarly, Guest has been disabled in Windows for 25 years, and according to Pyle, SMB guest fallback has been disabled since Windows 10 in Enterprise, Education, and Pro for Workstation editions.

He said: "Both changes will make billions of devices more secure."

While the changes have been in the Windows Insider Dev and Canary builds for a year, some users excitedly upgrading to Windows 11 24H2 could get caught out.

Pyle explained: "There's one unavoidable consequence, though: we don't know when someone intended to be unsafe."

The changes mean that Windows won't know if an evil server is trying to do something horrid or if the user is simply trying to access some holiday snaps on an old NAS.

Either way, Windows 11 will respond with various error messages ranging from the helpful - "You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network" - to the downright obscure - "System error 3227320323 has occurred."

It is possible to turn off the changes, thereby making Windows less secure but regaining access to a device deemed unsafe. However, Pyle recommends upgrading the device, either through a software or firmware update or by replacing it.

Where a setting change, update, or replacement isn't an option, Microsoft is keen to name and shame.

Pyle said: "If you have a third party NAS device that doesn't support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share with the world and perhaps get the vendor to fix it with an update." ®

https://www.theregister.com//2024/05/30/windows_11_24h2_security_tweaks/