Microsoft Pro Guest SMB Insecure Guest Auth Off by Default
Microsoft Windows Insider Pro now has SMB insecure guest authorization turned off by default. In a blog post, Microsoft’s Ned Pyle notes that “guest logons don't require passwords & don't support standard security features like signing and encryption.” The change is effective in the Windows 11 Insider Preview Build 25276, which was released earlier this month.
I’m going to skew *really* old here: before we had houses, we had caves, which mostly had only one way in and out. Perimeter security was pretty straightforward. Operating systems in general and certainly Windows in particular started out essentially like fields, not caves – everything could walk, slither or fly in and out as the default. Even though this change is not a big deal, always good to see Windows being more cave-like than field-like. In real businesses, as long as we don’t send paychecks to customers and products to employees, perimeters exist (albeit more complex than caves…) and will need to be defended.
This is a move in the right direction, shares should only be enabled with a defined process, ideally never from a workstation, beyond what is required for management. Guest logins should only be enabled with deliberate care and forethought. Better still, use cloud-based file sharing services which have many options, including self-registration, logging, and centralized management.
SMB is a network file sharing protocol that cybercriminals can leverage as part of a ‘living off the land’ attack. For years, standard cybersecurity best practice guidance has been to disable guest accounts. By turning off by default for Windows Pro editions, Microsoft removes one additional configuration change that end users have to make – a good thing!