we have been waiting so long…now it has arrived…as a DRAFT: Microsoft has released a DRAFT of its Windows 10 Creators Update (1703) Security Baseline: Security baseline for Windows 10 “Creators Update” (v1703) – DRAFT News There are not too many changes right noiw…but there are some very interesting and important recommendations now: Recommendation to…
Windows 10 (1709) – Guest Access Issue with SMB2
Sometimes the small things are the biggest issue when moving to a new Operating System. So a small change in the OS configuration or the security settings can lead to work blocking issues.
Last seen after Upgarde to 1709 in a small office…but let’s have a look at the basics first:
In most companies nobody would recognize this change….but this time it was one of the smaller ones. So imagine a small construction office, an architect or a startup. Working with 2 – 6 people on small projects…IT is not the center of their life. Also there is no dedicated IT staff. But even with 2 employees the requirement of sharing data and working together is a day to day topic. Maybe Office 365 is part of the business…but often we see a NAS in a corner of the office. This NAS has been configured to host a share for data exchange.
so far so good
But there is no AD-infrastructure, no EDP, no managed FileShare…
But there are some Windows 10 Enterprise Clients and they are receiving Feature Updates twice a year. And so they did with 1709
The Upgrade worked like a charm without any issue. The required Software was still running and also E-Mail is still working. yeha everything is fine….But when accessing the Team Share they receive the following message (sorry but German)
You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
But everything was working fine before…and nobody has done anything…
This time it is really nobodys fault. This time the issue came with 1709. Because it is shipped with a new security setting, which is explained here:
To be honest…the issue is a bit stranger than thought….Because the change to guest access in SMB2 is just done in Windows 10 Enterprise and Education and Windows Server. Windows 10 Home and Pro are not changed. So the main issue is that we are talking about Enterprise Systems that are used to be member of a domain and to work in a managed environment…
So there are two solutions now…the right one and the easy one:
The easy way means to reactivate insecure guest logon…
Computer configuration\administrative templates\network\Lanman Workstation –>”Enable insecure guest logons”
The better way would be to activate authentication at the NAS…but we all know what really happens
So enjoy SMB2 🙂
P.S.: SMB1 is diabled per default in 1709 … yeha