Windows 11 24H2 may block connections to unsecured third-party NAS devices — Microsoft enables SMB signing for enhanced security

Windows 11's GUI
(Image credit: Microsoft)

Microsoft's principal program manager, Ned Pyle, addressed new security changes with Windows 11 24H2 via the Microsoft blog. The changes will deny access to unsecured routers with USB ports and some Network Attached Storage devices. Pyle mentions that the upcoming upgrade abandons the much earlier variants of the Server Message Block (SMB) protocol and hence the potential issue.

Pyle explains that SMB1 is over forty years old, and warnings of its demise have been echoed since 2022. The Windows 11 24H2 takes one step forward, as it requires SMB signing by default, which will avoid tampering on the network. Guest fallback will be disabled on Windows 11 Pro Edition, which provides better security as it allows access to an SMB server without a username or password. 

This added security is long overdue as SMB signing has been available in Windows for thirty years as an option. Guest in Windows was deprecated twenty-five years ago, while the Guest fallback option was disabled in Windows 10 Enterprise, Education, and Pro for Workstation editions. These security implementations have also been present in Windows Insider Dev, and Canary builds for a year. Pyle says that this change in Windows 11 24H2 will secure over a billion devices as it will force NAS and router makers to update unpatched devices. 

SMB signing could serve as an added layer of security against malicious programs that access unsecured servers without the user's knowledge and permission to transfer data. Pyle explains that the devices can no longer be tricked into connecting to a malicious server without login credentials, blocking access to ransomware or malicious programs designed to steal data

However, this would also mean blocking access to your NAS since it can't differentiate between a server with malicious intent or a trusted NAS that doesn't have the necessary protocols. Pyle explains that, as a result, it would generate the following error:

  • 0xc000a000
  • -1073700864
  • STATUS_INVALID_SIGNATURE
  • The cryptographic signature is invalid

NAS makers to follow suit?

Despite being disabled by default, one could revert the changes at the cost of having a less secure system. This is where device manufacturers must provide a security patch to unsecured devices. 

Pyle explains that Microsoft would like to know if users have routers with USB ports and NAS units that do not support SMB signing. He says, "If you have a third-party NAS device that doesn't support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share it with the world and perhaps get the vendor to fix it with an update."

It's also likely that the respective NAS and routers with USB ports may have the SMB signing but possibly turn it off by default. Users could probably turn it on via the NAS management software. However, this may encourage NAS and router makers to turn these off by default while providing the ability to turn on the SMB guest fallback option should the user need it. 

Helping to secure one's network-attached drives is always going to be seen in a positive light by several users. It is also unlikely many NAS makers would risk being named by Microsoft as an unsecured device. Still, you'll never know until Windows 11 24H2 is released and, eventually, a list of unsecured NASs is published. 

This isn't the only security provision provided with Windows 11 24H2, but only time will tell how many users would be affected by this change.

Roshan Ashraf Shaikh
Contributing Writer

Roshan Ashraf Shaikh has been in the Indian PC hardware community since the early 2000s and has been building PCs, contributing to many Indian tech forums, & blogs. He operated Hardware BBQ for 11 years and wrote news for eTeknix & TweakTown before joining Tom's Hardware team. Besides tech, he is interested in fighting games, movies, anime, and mechanical watches.

  • ezst036
    How will this affect using a computer that has been brought out from the basement (previously used, now collecting dust) and reformatted/re-commissioned as a linux-based NAS?

    These old Core 2s and first gen Zen computers make great personal servers(print, data, music, etc).

    Not everybody will just be going out and buying some retail NAS around here.

    EDIT: Made the text bigger for the part people keep missing or choosing to ignore.
    Reply
  • USAFRet
    ezst036 said:
    How will this affect using a computer that has been brought out from the basement (previously used, now collecting dust) and reformatted/re-commissioned as a linux-based NAS?

    These old Core 2s and first gen Zen computers make great personal servers(print, data, music, etc).

    Not everybody will just be going out and buying some retail NAS around here.
    Probably will just need an update to whatever OS it is running.

    An old protocol going away is not a new or unique thing.
    Reply
  • ezst036
    USAFRet said:
    An old protocol going away is not a new or unique thing.

    Agree.
    Reply
  • coromonadalix
    and what do you do when the nas maker doesn't upgrade it's nas Os ????...
    Reply
  • brandonjclark
    For those wondering how this will affect them, here are a few things I can think of...


    SMB Signing doesn't require certificates, rather it uses hashes.
    Signing adds a small amount of new data requirement (the signing exchange process data {key, session data}) to each block.
    This will REDUCE performance, especially if you are logging your SMB transactions.
    Have fun updating your old devices (OS's) or disable this new SMB requirement.*
    Can anyone find fault with these statements?


    PowerShell
    #get status of SMB Signing
    Get-SmbClientConfiguration | select RequireSecuritySignature

    #disable SMB Signing
    Set-SmbClientConfiguration -RequireSecuritySignature $false

    #get status of guest fallback
    Get-SmbClientConfiguration | select EnableInsecureGuestLogons

    #enable guest fallback
    Set-SmbClientConfiguration -EnableInsecureGuestLogons $true
    Reply
  • USAFRet
    coromonadalix said:
    and what do you do when the nas maker doesn't upgrade it's nas Os ????...
    Cross that bridge when you come to it.

    My QNAP is currently over 7 years old (Jan 2017)
    It gets updates regularly...like every 4-6 weeks.
    Reply
  • Katana.lx
    Admin said:
    To boost security for its users, Microsoft has disabled SMB1 and Guest Signing protocol by default, securing billions of Windows 11 24H2 PCs as it would not allow access to unsecured NAS devices, prompting the respective manufacturers to enable it.

    Windows 11 24H2 may block connections to unsecured third-party NAS devices — Microsoft enables SMB signing for enhanced security : Read more
    Dear Mr Roshan Ashraf Shaikh,

    I'm sorry but what you describe happens for a while in Windows 10. I don't know in wich update that happened but every time I make a new installation in Windows 10, I have to install manually the SMB 1.1 services. I have a D-LINK NAS enclosure (DNS-323) and I cannot reach it in Windows or Linux Mint without installing manually the services (in the case of Mint you have to change a file) for quite some time.
    Windows 11 was behind Windows 10 in this case.

    Dinis Domingos
    Reply
  • ravewulf
    One potential wrinkle is for retro computer hobbyists who want to transfer files between a modern computer or NAS and their older Windows 9x/Windows XP systems
    Reply
  • USAFRet
    ravewulf said:
    One potential wrinkle is for retro computer hobbyists who want to transfer files between a modern computer or NAS and their older Windows 9x/Windows XP systems
    If it fails, sneakernet.
    Reply
  • derekullo
    Years ago at work I setup a Xigmanas NAS using SMB1 that any computer on our network could read from for the purposes of installing software using psexec. (The share is write protected by default unless I need to add files)

    Before Windows 11 all computers were able to access the NAS without issue.
    With Windows 11 Enterprise I had to update the nas protocol to SMB3 and add the following script to the beginning of my update script.

    net use Z: \\ServerName\ShareName /user:genericx genericxpassword /persistent:no (not the real username or pass :p)

    So that windows wouldn't give the error of can't connect to an unsecured NAS or something like that.

    I guess this makes it more secure, but if that's all it takes is a malicious user to create a generic account to connect to their malicious NAS I don't see any security in that.

    Will SMB signing require more steps than this to access the NAS or is using SMB3 all that is needed?
    Reply