If you can’t open/map community shared folders in your NAS, Samba Linux server, computer systems with previous Windows variations (Windows 7/XP/Server 2003) from Windows 10, most definitely the issue is that legacy and insecure variations of the SMB protocol are disabled within the latest Windows 10 builds (SMB protocol is utilized in Windows to entry shared community folders and recordsdata).
Starting with Windows 10 1709 and Windows Server 2019 (each in Datacenter and Standard ), the unsafe by default SMBv1 due to CVE-2017-0144 (bear in mind the WannaCry ransomware assault, which was carried out by way of the SMBv1 vulnerability), in addition to nameless (visitor) entry to community shared folders.
The particular actions that you should take rely upon the error that seems in Windows 10 if you attempting to entry the shared folder, and on the settings of the distant SMB server that hosts the community shares.
- Can’t Access Shared Folder Because Security Policies Block Unauthenticated Guest Access
- Windows 10 Error: Your system requires SMB2 or larger
Can’t Access Shared Folder Because Security Policies Block Unauthenticated Guest Access
Starting with the Windows 10 construct 1709 Fall Creators Update (Enterprise and Education editions), customers started to complain that when attempting to open a community shared folder on a close-by laptop, an error appeared:
An error happens if you attempt to open a community folder:
An error occurred whereas reconnecting Y: to nas1share
Microsoft Windows Network: You can’t entry this shared folder as a result of your group’s safety insurance policies block unauthenticated visitor entry. These insurance policies assist shield your PC from unsafe or malicious units on the community.
Moreover, on different computer systems with Windows eight.1, Win 7, or on Windows 10 with a construct of as much as 1709, the identical shared community folders open usually. The level is that in trendy variations of Windows 10 (beginning from 1709 construct), the visitor entry to the shared folders utilizing the SMBv2 protocol is disabled by default. Guest (nameless) means entry to a shared community folder with out authentication. When accessing a community folder beneath a visitor account over the SMBv1/v2 protocol, such strategies of site visitors safety as SMB signing and are usually not used, which makes your session susceptible to the MiTM (man-in-the-middle) assaults
In Windows 10 Home and Pro 1709, these modifications are usually not utilized and the community entry beneath the visitor account is working high quality.
If you attempt to entry a community shared folder utilizing the SMB v2 protocol beneath the visitor account, the next error seems within the SMB shopper log (Microsoft-Windows-SMBClient):
Source: Microsoft-Windows-SMBClient Event ID: 31017 Rejected an insecure visitor logon.
In most instances you possibly can face this drawback when accessing previous NAS units (normally visitor entry is enabled on them for ease of setup) or when opening community folders on Windows 7/2008 R2 / Windows XP/2003 with the nameless (visitor) entry configured (see the in numerous Windows editions).
In this case, Microsoft recommends to alter the settings on a distant laptop or NAS machine that host the community folders. It is advisable to change the community shares to the SMBv3 mode. Or configure entry with authentication if solely the SMBv2 protocol is supported by the machine. This is probably the most appropriate and most secure option to repair the issue.
Depending on the machine on which community folders are saved, you need to disable visitor entry on them:
- NAS units – disable visitor entry within the settings of your NAS machine (relying on mannequin);
- Samba server on Linux — if you’re share community folder utilizing Samba on Linux, add the next string to the smb.conf configuration file beneath the part [global]:
map to visitor = by no means
And prohibit nameless entry within the part with an outline of the shared folder:
visitor okay = no
- In Windows, you possibly can allow sharing of community folders and printers with password safety by way of the Control Panel -> Network and Sharing Center -> Advanced sharing settings. For All Networks within the “Password Protected Sharing” part, change the worth to the “Turn on password protected sharing”. In this case, nameless (visitor) entry to the community share folders can be disabled and you’ll have , grant then and use these accounts to connect with the shared folders on a distant laptop.
There is one other means – you possibly can change the settings in your Windows 10 laptop to permit entry to shared community folders beneath the visitor account. This technique ought to be used solely as a short lived workaround (!!!), as a result of entry to folders with out authentication considerably reduces the extent of safety of your laptop and knowledge.
To allow entry beneath the visitor account from your laptop, you should use the Group Policy Editor (gpedit.msc). Go to the part: Computer Configuration ->Administrative templates -> Network -> Lanman Workstation. Find and allow the coverage Enable insecure visitor logons. These coverage settings decide whether or not the SMB shopper will enable unsafe visitor logon to the SMB server.
, you may make the same change by way of the registry editor with the command:
reg add HKLMSYSTEMCurrentControlSetProvidersLanmanWorkstationParameters /v AllowInsafeGuestAuth /t reg_dword /d 00000001 /f
Windows 10 Error: Your system requires SMB2 or larger
Another attainable drawback when accessing a community folder from Windows 10 is server-side help of solely the SMBv1 protocol. Since the SMBv1 shopper is disabled by default in Windows 10 1709 and newer, if you attempt to open the shared folder, you could get an error:
You can’t hook up with the file share as a result of it’s not safe. This share requires the out of date SMB1 protocol, which is unsafe and will expose your system to assault. Your system requires SMB2 or larger.
The error message clearly exhibits that the community shared folder solely helps entry over the SMBv1 protocol. In this case, it’s best to attempt to reconfigure the distant SMB machine to make use of at the least SMBv2 (the proper and secure means).
If you employ Samba server on Linux to share community folders, you possibly can specify the minimal supported model of SMB protocol within the smb.conf file like this:
[global] server min protocol = SMB2_10 shopper max protocol = SMB3 shopper min protocol = SMB2_10 encrypt passwords = true prohibit nameless = 2
On Windows 7/Windows Server 2008 R2, you possibly can disable the SMB 1 protocol and allow SMBv2 with the next PowerShell instructions:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetProvidersLanmanServerParameters" SMB1 -Type DWORD -Value zero –Force
-Path "HKLM:SYSTEMCurrentControlSetProvidersLanmanServerParameters" SMB2 -Type DWORD -Value 1 –Force
On Windows eight.1/Windows Server 2012 R2, you possibly can disable SMBv1, allow SMBv2 and SMBv3, with the next command (confirm is used on your community connection):
Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"
Set-SmbServerConfiguration –EnableSMB2Protocol $true
If your community machine (NAS, Windows XP, Windows Server 2003) helps solely the SMB1 protocol, you possibly can allow on Windows 10 a separate SMB1Protocol-Client function. But this isn’t advisable!!!
Run the PowerShell immediate and confirm that the SMB1Protocol-Client is disabled (State: Disabled):
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client
Enable the SMBv1 shopper protocol (a reboot is required):
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client
You also can allow/disable further options of Windows 10 (together with SMBv1 elements) from the dialog
optionalfeatures.exe -> SMB 1.zero/CIFS File Sharing Support.
On Windows 10 1809 and newer, the SMBv1 shopper is mechanically deleted if it has not been used for greater than 15 days (the SMB 1.zero/CIFS Automatic Removal function is liable for this).
In this instance, I enabled solely the SMBv1 shopper. Do not allow the SMB1Protocol-Server function in case your laptop will not be utilized by legacy purchasers as a shared folder SMB server.
After putting in the SMBv1 shopper, it’s best to be capable of hook up with a shared folder or printer with none issues. However, it’s best to perceive that utilizing this workaround will not be advisable, as a result of this reduces the extent of safety on your system.