Microsoft's principal program manager, Ned Pyle, addressed new security changes with Windows 11 24H2 via the Microsoft blog. The changes will deny access to unsecured routers with USB ports and some Network Attached Storage devices. Pyle mentions that the upcoming upgrade abandons the much earlier variants of the Server Message Block (SMB) protocol and hence the potential issue.
Pyle explains that SMB1 is over forty years old, and warnings of its demise have been echoed since 2022. The Windows 11 24H2 takes one step forward, as it requires SMB signing by default, which will avoid tampering on the network. Guest fallback will be disabled on Windows 11 Pro Edition, which provides better security as it allows access to an SMB server without a username or password.
This added security is long overdue as SMB signing has been available in Windows for thirty years as an option. Guest in Windows was deprecated twenty-five years ago, while the Guest fallback option was disabled in Windows 10 Enterprise, Education, and Pro for Workstation editions. These security implementations have also been present in Windows Insider Dev, and Canary builds for a year. Pyle says that this change in Windows 11 24H2 will secure over a billion devices as it will force NAS and router makers to update unpatched devices.
SMB signing could serve as an added layer of security against malicious programs that access unsecured servers without the user's knowledge and permission to transfer data. Pyle explains that the devices can no longer be tricked into connecting to a malicious server without login credentials, blocking access to ransomware or malicious programs designed to steal data.
However, this would also mean blocking access to your NAS since it can't differentiate between a server with malicious intent or a trusted NAS that doesn't have the necessary protocols. Pyle explains that, as a result, it would generate the following error:
- 0xc000a000
- -1073700864
- STATUS_INVALID_SIGNATURE
- The cryptographic signature is invalid
NAS makers to follow suit?
Despite being disabled by default, one could revert the changes at the cost of having a less secure system. This is where device manufacturers must provide a security patch to unsecured devices.
Pyle explains that Microsoft would like to know if users have routers with USB ports and NAS units that do not support SMB signing. He says, "If you have a third-party NAS device that doesn't support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share it with the world and perhaps get the vendor to fix it with an update."
It's also likely that the respective NAS and routers with USB ports may have the SMB signing but possibly turn it off by default. Users could probably turn it on via the NAS management software. However, this may encourage NAS and router makers to turn these off by default while providing the ability to turn on the SMB guest fallback option should the user need it.
Helping to secure one's network-attached drives is always going to be seen in a positive light by several users. It is also unlikely many NAS makers would risk being named by Microsoft as an unsecured device. Still, you'll never know until Windows 11 24H2 is released and, eventually, a list of unsecured NASs is published.
This isn't the only security provision provided with Windows 11 24H2, but only time will tell how many users would be affected by this change.
