Troubleshooting IT problems is hard. Troubleshooting problems that arise on end-user devices around the same time as these devices automatically update should be simpler, but can be just as hard.
Today, let’s talk about some behavior we’re seeing at some organizations surrounding the May 2021 Cumulative Update for Windows 10.
The situation
Within the organization, people use one or more storage appliances and/or non-Microsoft Windows Server-based storage servers for general purpose file sharing purposes.
The issue
After installing the May 2021 Cumulative update, people receive the following error when accessing file shares:
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
The cause
This error is caused by the May 2021 Cumulative Update. This update addresses a vulnerability in the Windows SMB Client referred to as CVE-2021-31205.
While the official Microsoft documentation states that Windows Operating Systems beyond Windows 10 version 1709 (including Windows Server 2019) have guest fallback access in SMB2 disabled by default, this is not the case.
The May 2021 Cumulative update disables guest fallback access on on Windows 10 version 1709 and up, and Windows Server 2019, and up. This enforces these Operating Systems (with the exclusion of Windows Home SKUs) to no longer allow a user to connect to a remote share by using guest credentials by default, even if the remote server requests guest credentials.
The solution
If you experience this error, an admin that is a member of the Domain Admins group or has delegated permissions to create, edit and link Group Policy objects can re-enable insecure guest access using the following steps:
- Open the Group Policy Management Console (gpmc.msc).
- In the left navigation pane, expand the Forest container.
- Expand the Domains container, and then navigate to the domain.
- Expand the domain name.
- Right-click the Group Policy Objects node and select New from the menu.
- In the New GPO pop-up window, enter the name of the Group Policy Object. For instance: Enable Insecure guest access. Make sure you don’t select a Starter GPO.
- Click OK to create the GPO.
- Select the Group Policy Object.
- In the main pane, on the Settings tab, inspect the settings. Use the show, hide and show all buttons to display settings under their respective Group Policy settings nodes.
- In the left navigation pane, right-click the GPO and select Edit… from the menu.
The Group Policy Editor (gpedit.msc) window appears. - In the left navigation pane, expand Computer Configuration, then Policies, Administrative Templates, Network and finally Lanman Workstation.
- In the main pane, right-click the Enable insecure guest logons setting and select Edit.
- Select Enabled and click OK.
- Back in the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object. Preferably, this is the (top) OU containing (the OU structure with) the devices on which your end-users experience the error.
- Right-click the OU and select Link an existing GPO… from the menu
- In the Select GPO window, select the Group Policy object created above from the list of available Group Policy objects:.
- Click OK to link the GPO.
After the next Group Policy background refresh, devices that are part of the Organizational Unit (OU) structure beneath the OU where the Group Policy object was linked will allow insecure guest access.
Concluding
Microsoft disables guest access fallback for SMB2 to increase the overall security level within the organization. Guest access fallback allows an attacker with a malicious computer to impersonate a legitimate file server could and allow allow users from hour organization to connect as guests without their knowledge.
If you re-enable guest access fallback, please make plans to remediate the situation where storage appliances and/or servers use SMB2 and the situation where storage appliances and/or servers request guest credentials.
Migrating to Windows Server-based file servers, Azure Files and/or SharePoint Online are secure solutions to address the above situations.
Further reading
CVE-2021-31205 – Windows SMB Client Security Feature Bypass Vulnerability
Guest access in SMB2 is disabled
Sir
I cant find gpmc.msc through run . Please help me .
Hi Arsalan,
The Group Policy Management Console (gpmc.msc) is installed on Domain Controllers, by default.
It may not be installed on the device you're using. On a domain-joined Windows 10 device, install the Remote Server Administration Tools (RSAT) to gain access to this tool. On a domain-joined Windows Server installation, you can install it using the following line of Windows PowerShell:
Install-WindowsFeature GPMC