close
close

Windows 11 24H2 may block connections to unsecured third-party NAS devices – Microsoft enables SMB signing for improved security

Posted on by darion

Microsoft’s chief program manager, Ned Pyle, talked about the new security changes in Windows 11 24H2 via the Microsoft blog. The changes will block access to unsecured routers with USB ports and certain network-attached storage devices. Pyle mentions that the upcoming update will drop much earlier variants of the Server Message Block (SMB) protocol and therefore a potential problem.

Pyle explains that SMB1 is over forty years old, and warnings of its demise have been repeated since 2022. Windows 11 24H2 goes a step further by requiring SMB signing by default to avoid network tampering. The guest fallback feature will be disabled in Windows 11 Pro Edition, which provides greater security as it allows access to the SMB server without a username and password.

This additional security has been long overdue, as SMB signing has been available as an option in Windows for thirty years. The guest feature in Windows was retired twenty-five years ago, while the guest restore option has been disabled in Windows 10 Enterprise, Education, and Pro workstation editions. These security implementations have also been present in Windows Insider Dev and Canary builds for a year. Pyle says this change to Windows 11 24H2 will protect over a billion devices because it will force NAS and router makers to update unpatched devices.

SMB signing can serve as an additional layer of security against malicious programs accessing unsecured servers without the user’s knowledge or permission to transmit data. Pyle explains that devices can no longer be tricked into connecting to a malicious server without login credentials, which blocks access to ransomware or malicious programs designed to steal data.

However, this would also mean blocking access to your NAS because it cannot distinguish between a malicious server and a trusted NAS that does not have the necessary protocols. Pyle explains that it would produce the following error as a result:

Will NAS manufacturers follow suit?

Despite being disabled by default, changes can be rolled back at the cost of a less secure system. In this case, device manufacturers must provide a security patch for unsecured devices.

Pyle explains that Microsoft would like to know if users have routers with USB ports and NAS units that do not support SMB signing. He says: “If you have a third-party NAS device that doesn’t support SMB signing, we’d like to hear about it. Please email [email protected] with the make and model of your NAS device so we can share it with the world, and perhaps ask your provider to fix it with an update.

It is also likely that suitable NAS and routers with USB ports may have SMB signing, but it is probably disabled by default. Users could probably enable this using their NAS management software. However, this may encourage NAS and router manufacturers to disable them by default, while also providing the option to enable SMB guest failover if the user needs it.

Helping secure network-attached drives will always be viewed in a positive light by some users. It’s also unlikely that many NAS manufacturers will run the risk of Microsoft labeling them an insecure device. Still, you won’t know until Windows 11 24H2 is released and the list of unsecured NAS servers is finally published.

This is not the only security available in Windows 11 24H2, but time will tell how many users this change will affect.