News Windows 11 24H2 may block connections to unsecured third-party NAS devices — Microsoft enables SMB signing for enhanced security

[Admin]

To boost security for its users, Microsoft has disabled SMB1 and Guest Signing protocol by default, securing billions of Windows 11 24H2 PCs as it would not allow access to unsecured NAS devices, prompting the respective manufacturers to enable it.

Windows 11 24H2 may block connections to unsecured third-party NAS devices — Microsoft enables SMB signing for enhanced security : Read more

 

[ezst036]

How will this affect using a computer that has been brought out from the basement (previously used, now collecting dust) and reformatted/re-commissioned as a linux-based NAS?

These old Core 2s and first gen Zen computers make great personal servers(print, data, music, etc).

Not everybody will just be going out and buying some retail NAS around here.

EDIT: Made the text bigger for the part people keep missing or choosing to ignore.

 

[USAFRet]

How will this affect using a computer that has been brought out from the basement (previously used, now collecting dust) and reformatted/re-commissioned as a linux-based NAS?

These old Core 2s and first gen Zen computers make great personal servers(print, data, music, etc).

Not everybody will just be going out and buying some retail NAS around here.

Probably will just need an update to whatever OS it is running.

An old protocol going away is not a new or unique thing.

 

[ezst036]

An old protocol going away is not a new or unique thing.

Agree.

 

[coromonadalix]

and what do you do when the nas maker doesn't upgrade it's nas Os ????...

 

[brandonjclark]

For those wondering how this will affect them, here are a few things I can think of...

1. SMB Signing doesn't require certificates, rather it uses hashes.
2. Signing adds a small amount of new data requirement (the signing exchange process data {key, session data}) to each block.
3. This will REDUCE performance, especially if you are logging your SMB transactions.
4. Have fun updating your old devices (OS's) or disable this new SMB requirement.*

Can anyone find fault with these statements?


PowerShell

#get status of SMB Signing
Get-SmbClientConfiguration | select RequireSecuritySignature

#disable SMB Signing
Set-SmbClientConfiguration -RequireSecuritySignature $false

#get status of guest fallback
Get-SmbClientConfiguration | select EnableInsecureGuestLogons

#enable guest fallback
Set-SmbClientConfiguration -EnableInsecureGuestLogons $true

 

[USAFRet]

and what do you do when the nas maker doesn't upgrade it's nas Os ????...

Cross that bridge when you come to it.

My QNAP is currently over 7 years old (Jan 2017)
It gets updates regularly...like every 4-6 weeks.

 

[Katana.lx]

To boost security for its users, Microsoft has disabled SMB1 and Guest Signing protocol by default, securing billions of Windows 11 24H2 PCs as it would not allow access to unsecured NAS devices, prompting the respective manufacturers to enable it.

Windows 11 24H2 may block connections to unsecured third-party NAS devices — Microsoft enables SMB signing for enhanced security : Read more

Dear Mr Roshan Ashraf Shaikh,

I'm sorry but what you describe happens for a while in Windows 10. I don't know in wich update that happened but every time I make a new installation in Windows 10, I have to install manually the SMB 1.1 services. I have a D-LINK NAS enclosure (DNS-323) and I cannot reach it in Windows or Linux Mint without installing manually the services (in the case of Mint you have to change a file) for quite some time.
Windows 11 was behind Windows 10 in this case.

Dinis Domingos

 

[ravewulf]

One potential wrinkle is for retro computer hobbyists who want to transfer files between a modern computer or NAS and their older Windows 9x/Windows XP systems

 

[USAFRet]

One potential wrinkle is for retro computer hobbyists who want to transfer files between a modern computer or NAS and their older Windows 9x/Windows XP systems

If it fails, sneakernet.

 

[derekullo]

Years ago at work I setup a Xigmanas NAS using SMB1 that any computer on our network could read from for the purposes of installing software using psexec. (The share is write protected by default unless I need to add files)

Before Windows 11 all computers were able to access the NAS without issue.
With Windows 11 Enterprise I had to update the nas protocol to SMB3 and add the following script to the beginning of my update script.

net use Z: \\ServerName\ShareName /user:genericx genericxpassword /persistent:no (not the real username or pass )

So that windows wouldn't give the error of can't connect to an unsecured NAS or something like that.

I guess this makes it more secure, but if that's all it takes is a malicious user to create a generic account to connect to their malicious NAS I don't see any security in that.

Will SMB signing require more steps than this to access the NAS or is using SMB3 all that is needed?

 

[USAFRet]

I guess this makes it more secure, but if that's all it takes is a malicious user to create a generic account to connect to their malicious NAS I don't see any security in that.

How would a 'malicious user' run that script?

 

[derekullo]

How would a 'malicious user' run that script?

Unsure how they would obtain domain admin access ...

Just saying if the only security they are adding is requiring login credentials, something I was able to provide with a single line in my own script and 3 minutes on my NAS and I don't see how requiring login credentials for a NAS would hinder anyone.

Or am I missing something?

 

[DS426]

How will this affect using a computer that has been brought out from the basement (previously used, now collecting dust) and reformatted/re-commissioned as a linux-based NAS?

These old Core 2s and first gen Zen computers make great personal servers(print, data, music, etc).

Not everybody will just be going out and buying some retail NAS around here.

I would also say update the NAS software. Oh and maybe pull that old dusty NAS out now and backup data to a new one before it's too late? Can always spin up Windows 10 or pre-24H2 version of Windows 11 as a virtual machine to to get around this problem.

As for Windows, SMB signing should be on by default but MS should make it easy to find and turn off in Windows 11 going forward, e.g. in 'Storage' of the Settings app.

 

[USAFRet]

Unsure how they would obtain domain admin access ...

Exactly.

Add in 2Fa...

 

[CmdrShepard]

How will this affect using a computer that has been brought out from the basement (previously used, now collecting dust) and reformatted/re-commissioned as a linux-based NAS?

If you are going to trust your data to some old worn out computer which has been "collecting dust" (not to mention whose PSU and mainboard capacitors were drying out for years and whose coin battery lost charge and maybe even leaked damaging the mainboard in the process as it rusted in a dusty damp basement) then you deserve to lose all of it.

If you still proceed despite the warning and install latest Linux on it, then I am sure you will be able to Google how to configure Samba to disable SMB1 and enable signing.

Will SMB signing require more steps than this to access the NAS or is using SMB3 all that is needed?

Here's what Microsoft has to say on the topic:

If someone changes a message during transmission, the hash won't match, and SMB will know that someone tampered with the data. The signature also confirms the sender's and receiver's identities. This prevents relay attacks. Ideally, you are using Kerberos instead of NTLMv2 so that your session key starts strong. Don't connect to shares by using IP addresses and don't use CNAME records, or you will use NTLM instead of Kerberos. Use Kerberos instead. See Using Computer Name Aliases in place of DNS CNAME Records for more information.

 

[ezst036]

I would also say update the NAS software. Oh and maybe pull that old dusty NAS out now and backup data to a new one before it's too late? Can always spin up Windows 10 or pre-24H2 version of Windows 11 as a virtual machine to to get around this problem.

As for Windows, SMB signing should be on by default but MS should make it easy to find and turn off in Windows 11 going forward, e.g. in 'Storage' of the Settings app.

It's strange that this needed to be pointed out, but if a computer is getting reformatted and re-commissioned it is getting a brand new Linux distro on it.

This should have been pretty clear to all three of the users who missed it.

It's a new software install.

 

[ex_bubblehead]

It's strange that this needed to be pointed out, but if a computer is getting reformatted and re-commissioned it is getting a brand new Linux distro on it.

This should have been pretty clear to all three of the users who missed it.

It's a new software install.

New or old doesn't matter one whit. You still need to adhere to the rules in a Microsoft environment, and those rules have changed from what they were.