Microsoft’s principal program manager, Ned Pyle, addressed newsecuritychanges withWindows 1124H2 via theMicrosoft blog. The changes will deny access to unsecured routers with USB ports and someNetwork Attached Storagedevices. Pyle mentions that the upcoming upgrade abandons the much earlier variants of the Server Message Block (SMB) protocol and hence the potential issue.
Pyle explains that SMB1 is over forty years old, and warnings of its demise have been echoed since 2022. TheWindows 11 24H2takes one step forward, as it requires SMB signing by default, which will avoid tampering on the network. Guest fallback will be disabled on Windows 11 Pro Edition, which provides better security as it allows access to an SMB server without a username or password.
This added security is long overdue as SMB signing has been available in Windows for thirty years as an option. Guest in Windows was deprecated twenty-five years ago, while the Guest fallback option was disabled in Windows 10Enterprise, Education, and Pro for Workstation editions. These security implementations have also been present in Windows Insider Dev, andCanary buildsfor a year. Pyle says that this change in Windows 11 24H2 will secure over a billion devices as it will force NAS and router makers to update unpatched devices.
SMB signing could serve as an added layer of security against malicious programs that access unsecured servers without the user’s knowledge and permission to transfer data. Pyle explains that the devices can no longer be tricked into connecting to a malicious server without login credentials, blocking access toransomwareor malicious programs designed tosteal data.
However, this would also mean blocking access to your NAS since it can’t differentiate between a server with malicious intent or a trusted NAS that doesn’t have the necessary protocols. Pyle explains that, as a result, it would generate the following error:
NAS makers to follow suit?
Despite being disabled by default, one could revert the changes at the cost of having a less secure system. This is where device manufacturers must provide a security patch to unsecured devices.
Pyle explains that Microsoft would like to know if users have routers with USB ports and NAS units that do not support SMB signing. He says, “If you have a third-party NAS device that doesn’t support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share it with the world and perhaps get the vendor to fix it with an update.”
Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
It’s also likely that the respective NAS and routers with USB ports may have the SMB signing but possibly turn it off by default. Users could probably turn it on via the NAS management software. However, this may encourage NAS and router makers to turn these off by default while providing the ability to turn on the SMB guest fallback option should the user need it.
Helping to secure one’s network-attached drives is always going to be seen in a positive light by several users. It is also unlikely many NAS makers would risk being named by Microsoft as an unsecured device. Still, you’ll never know until Windows 11 24H2 is released and, eventually, a list of unsecured NASs is published.
This isn’t the onlysecurity provisionprovided with Windows 11 24H2, but only time will tell how many users would be affected by this change.
Roshan Ashraf Shaikh has been in the Indian PC hardware community since the early 2000s and has been building PCs, contributing to many Indian tech forums, & blogs. He operated Hardware BBQ for 11 years and wrote news for eTeknix & TweakTown before joining Tom’s Hardware team. Besides tech, he is interested in fighting games, movies, anime, and mechanical watches.
