Microsoft locks door to default guest authentication in Windows Pro Microsoft wants to bulk up the security in Windows Pro editions by ensuring the SMB insecure guest authentication fallbacks are no longer the default setting in the operating system. The move, which is included in the Windows 11 Insider Preview Build 25276 released this month, means that systems with Windows 10 version 1709 or …
"The irritation with Windows is there doesn't seem to be a default out-of-the-box automation user account that isn't administrator."
Yes there is, just not on clients. Look up (Group) Managed Service Accounts if you're running a domain environment.
But you can just create a user account. Having anonymous anything is poor security quite frankly. Don't know why there's any argument over it - if you want to do something on a system you really need to know what is doing it, and therefore a well managed service account should be created as security best practice, regardless of platform being used.
This move will create chaos for Windows sysadmins, if implemented.
I hope that "require authentication on fileshares" and "manage access to data" are not new requirements for any sysadmin.
Automated processes have to run in a user context anyway, so that hasn't changed.
This is the same reason MS continues to support SMB1 (not by default), and old authentication methods (not by default). They don't care about supporting Win95: they'd rather Windows users bought new computers with recent OS, and there is rarely any kickback. But they have had, and continue to have, outrage from users of old unsupported OpenSource systems whenever they deprecate a network authentication feature.
I have long denied Guest access of any kind. Have removed all SMB versions, no need for them. I wish Microsoft would simplify the security for user/group accounts, with the SIDs, Tokens, DACLs, SACLs, ACEs, permissions, rights, integrity levels, ownership, inheritance...etc, such a convoluted mess.
When I install Windows 10, I purposely make sure it does not have an internet connection during the install process
During the installation, it will ask you to connect to a network, there is an option that says "I do not have internet"
After selecting "I do not have internet", the page that follows, lists a bunch of benefits of having internet and tries to convince you to re-consider your choice
Braincells, are clearly in short supply in some of these tech companies
Technically what it's telling you is how much more wonderful things would be if you were online and could have a super, shiny, modern, lovely Microsoft account. Tied to Microsoft, of course, and increasing their tentacles' grip around you, but only a jaded cynic would suggest that's their primary motivation. They just love you and want the best for you, honestly.
That process no longer works on the newest builds Windows 11. Instead, what you have to do is proceed to the screen that asks you to join a network. At that screen, and only there, press SHIFT + F10 (or SHIFT + FN + F10 because idiot laptop builders combine less useful keys with the more useful function keys). A command prompt window appears. You browse to c:\windows\system32\oobe. The type BypassNRO.cmd. That adds an entry to the registry then restarts. Then you can bypass joining a network in Windows 11.
You also need to make whole disk encryption is turned off. On many W11 machines, it is turned on without asking.
Yet another reason to avoid 11.
Although – is whole-disk encryption by default a bad thing? I know it can make life a pain in the arse for techy people trying to move disks around, but isn't "higher security by default" good? As a freelance handling potentially sensitive data, I've got BitLocker enabled on all my disks, with a (strong) password required at boot time. This gives me (and my clients) peace of mind should any of them be stolen. I know it's not completely unbreakable, but it will stop your average junky/person they sell my laptop to from being able to get to anything.
I'm curious why I'd need to bother with a man in the middle attack if there is guest access to the server? Disabling guest access on the server doesn't prevent a MITM attack, the client guest would still gleefully connect to the MITM.
And how exactly would using guest credentials prevent encryption? TLS doesn't use user credentials, it just encrypts the connection.
I tell you what would improve security...removing all the desktop and taskbar icons...oh, never mind, that's already done.
There are two things here.
The first is a Windows computer allowing inbound Guest/anonymous access, which seems to have not been the default since Windows 2000.
Obviously, when I set up a network shared folder, I have the choice to limit or not those who can access that folder, hence this proposal would seem to suggest that the option to enable 'everyone' to see a folder is to be withdrawn.
The second is a Windows user accessing a network resource, such as a NAS, which has been setup with open to all unauthenticated access. It would seem from the article, MS are implementing stuff that will block a windows user from accessing such a (local network) resource, without having to jump through hoops. Yet obviously, everything I access through Edge (ie. Internet resource) is effectively only available to me because Guest access is a given...
"Everyone" does not include guest/anonymous on Windows (since 2000). This change has no effect on "everyone" permissions or authentication.
This is a client-side change. This change has no effect on folder or network access permissions.
This is a change to the client in Windows workstation, which will prevent by default the client attempting guest access when authenticated access fails, which will affect systems connecting to SAMBA servers which are set up for guest/anonymous access. (Which used to be very common, because network authentication used to be hard to support on *nix systems).
The willingness of old 'everyone' SAMBA servers to accept guest/anonymous access from macOS and linux clients, has caused me nothing but trouble, but those are problems that won't be fixed by this.
"The network path was not found" is such a classic Microsoft error message. I'm not sure it even actually ever pops up when a network path *actually* isn't found, I've only ever seen it when an SMB network share is configured to allow open access and Windows is configured to disallow it.
(Also I *swear* this isn't new? I've had to change this setting on Pro installs at work for years, since there's some shares the engineers demand open access to and throw fits if they have to remember credentials for, even if those credentials are centralized and the same for them on every system. But maybe it rolled out some months back and that has bled into my years of using gpedit or a reg command on every Enterprise amd Server install of Windows at the office.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
