[German]There are still a few days to go before Windows 11 24H2 is generally rolled out. However, the Windows Insider release preview builds show where there may be problems. One problem area is the SMB service or protocol, to which Microsoft has made some changes. This can lead to NAS drives no longer being accessible from Windows 11 24H2. However, there are workarounds that Microsoft has provided to those affected. Here is an addendum on the topic.
Advertising
What is SMB?
The abbreviation SMB stands for Server Message Block, a network protocol (also known as Common Internet File System, CIFS) for file, print and other server services in computer networks. It is a central part of the network services of the Windows product family and allows access to files and directories located on another computer.
Changes to SMB in Windows 11 24H2
At the end of May 2024, Ned Pyle already pointed out changes that Microsoft has made to SMB in Windows 11 24H2 in the tech community article Accessing a third-party NAS with SMB in Windows 11 24H2 may fail. There are two major changes that affect the integration of NAS drives (Network Attached Storage drives).
- SMB signing is required by default for all SMB connections. This is intended to increase security by preventing manipulation in the network and preventing relay attacks that send user login data to malicious servers.
- In Windows 11 Pro 24H2, the so-called Guest Fallback is deactivated. This is intended to increase security when connecting to untrusted devices.
Background: With the guest mode, users can establish a connection to an SMB server without an authentication via user name and/or password. This is practical for the manufacturer of the NAS devices, who save money when implementing the firmware. However, an authorized guest mode also means that a system can be tricked into connecting to a malicious server. In guest mode, no login information is requested. It is then easy to roll out ransomware or malware or to steal the user's data.
Implications on NAS systems
The change mentioned above is a deep intervention in the existing ecosystem. SMB signing has been available in Windows for 30 years. Now, for the first time, SMB signing is required by default for all connections. SMB guest fallback has been disabled in the Enterprise, Education and Pro for Workstation editions since Windows 10.
However, it can be assumed that numerous NAS systems are likely to be affected by the changes in Windows 11 24H2. If the above scenario (guest fallback) and missing SMB signing is used, the following error messages are likely to occur when attempting to access NAS systems. If SMB signing is not supported, the following errors are likely to be reported.
Advertising
- 0xc000a000
- -1073700864
- STATUS_INVALID_SIGNATURE
- The cryptographic signature is invalid
If the NAS expects access in "Guest mode" (guest access), access is rejected with the error messages listed below:
- You cannot access this shared folder because your company's security policies block unauthorized guest access. These policies help protect your PC from insecure or malicious devices on the network,
- The network path was not found
- A system error 3227320323 has occurred
- Error 0x80070035
- Error 0x800704f8
In these scenarios, access to the file shares in the NAS system from Windows 11 version 24H2 is no longer possible and the user must ensure the necessary requirements on the NAS.
What can be done?
Microsoft provides several tips in the Techcommunity article on what the user can do in the event of an error. The measures listed below relate to the NAS system.
- SMB signing must be activated on the NAS. This should be offered as an option in the management interface of the NAS in question.
- If guest access is set up on a third-party NAS, users must disable this mode. Here too, a corresponding option should be offered as an option in the management interface of the NAS in question.
- After disabling guest access, the login must be configured using a user name and password for the NAS in the management interface of the relevant device.
If these options are missing on the management interface of the NAS in question, it must be clarified whether a firmware update that provides these options is possible. If the NAS is already end-of-life and there is no firmware update that enables the above options, the device must be replaced.
The step is not recommended, but Microsoft also describes a group policy in the tech community article Accessing a third-party NAS with SMB in Windows 11 24H2 may fail to disable SMB signing and allow guest mode again. In this context, Microsoft mentions again that the SMB1 network protocol is disabled by default in all editions of Windows 11. This could affect old devices such as NAS or scanners that only support SMB1. Administrators have the option of reactivating SMB1 via the features. In the medium term, however, the old devices should be replaced for security reasons. (via)
Similar articles:
Windows: SMB Signing required soon (now available in Windows 11 Insider Preview)
Windows 11 strengthens SMB traffic protection
Windows 11/Server 2022: What's new with SMB compression
Windows 11 Home: SMB1 will be disabled and removed in the future
Microsoft explains SMB signing configuration
Windows 11 Home: SMB1 will be disabled and removed in the future
Microsoft recommends disabling SMBv1 on Exchange
SMBv1 FAQ and Windows networks
Advertising