Guest access in SMB2 disabled by default in Windows 10, Windows Server 2016 version 1709, and Windows Server 2019

Applies to: Windows 10, version 1809Windows 10, version 1709Windows Server 2016 Version 1709 More

Symptoms


In Windows 10, version 1709, Windows Server version 1709, and Windows Server 2019, the SMB2 client no longer allows the following actions:
 
  • Guest account access to a remote server
  • Fallback to the Guest account after invalid credentials are provided
SMBv2 has the following behavior in Windows 10, version 1709, Windows Server version 1709, and Windows Server 2019:
  • Windows 10 Enterprise and Windows 10 Education no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
  • Windows Server 2016 Datacenter and Standard edition no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
  • Windows 10 Home and Professional editions are unchanged from their previous default behavior.
If you try to connect to devices that request credentials of a guest instead of appropriate authenticated principals, you may receive the following error message: 
 
Also, if a remote server tries to force you to use guest access, or if an administrator enables guest access, the following entries are logged in the SMB Client event log:

Log entry 1
Log Name:      Microsoft-Windows-SmbClient/SecuritySource:        Microsoft-Windows-SMBClientDate:          Date/TimeEvent ID:      31017Task Category: NoneLevel:         ErrorKeywords:      (128)User:          NETWORK SERVICEComputer:      ServerName.contoso.comDescription:Rejected an insecure guest logon.User name: NedServer name: ServerName


Guidance:

This event indicates that the server tried to log on the user as an unauthenticated guest but was denied by the client. Guest logons do not support standard security features such as signing and encryption. Therefore, guest logons are vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables "insecure" (nonsecure) guest logons by default. Microsoft recommends that you do not enable insecure guest logons.
 

Log entry 2

Log Name:      Microsoft-Windows-SmbClient/SecuritySource:        Microsoft-Windows-SMBClientDate:          Date/TimeEvent ID:      31018Task Category: NoneLevel:         WarningKeywords:      (128)User:          NETWORK SERVICEComputer:      ServerName.contoso.comDescription:The AllowInsecureGuestAuth registry value is not configured with default settings.Default Registry Value:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]"AllowInsecureGuestAuth"=dword:0Configured Registry Value:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]"AllowInsecureGuestAuth"=dword:1


Guidance:

This event indicates that an administrator has enabled insecure guest logons. An insecure guest logon occurs when a server logs on the user as an unauthenticated guest. This typically occurs in response to an authentication failure. Guest logons do not support standard security features such as signing and encryption. Therefore, allowing guest logons makes the client vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables insecure guest logons by default. Microsoft recommends that you do not enable insecure guest logons.
 

Cause


This change in default behavior is by design and is recommended by Microsoft for security.
 
A malicious computer that impersonates a legitimate file server could allow users to connect as guests without their knowledge. Microsoft recommends that you do not change this default setting. If a remote device is configured to use guest credentials, an administrator should disable guest access to that remote device and configure correct authentication and authorization.
 
Windows and Windows Server have not enabled guest access or allowed remote users to connect as guest or anonymous users since Windows 2000. Only third-party remote devices might require guest access by default. Microsoft-provided operating systems do not.
 

Resolution


If you want to enable insecure guest access, you can configure the following Group Policy settings:
 
Computer configuration\administrative templates\network\Lanman Workstation
"Enable insecure guest logons"
 
Note By enabling insecure guest logons, this setting reduces the security of Windows clients. 
 

More Information


This setting has no effect on SMB1 behavior. SMB1 continues to use guest access and guest fallback.
 
SMB1 is uninstalled by default in latest Windows 10 and Windows Server configurations. For more information see SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709.