Can’t Access/Map Network Shared Folders over SMB from Windows 10

If you can’t open/map community shared folders in your NAS, Samba Linux server, computer systems with previous Windows variations (Windows 7/XP/Server 2003) from Windows 10, most definitely the issue is that legacy and insecure variations of the SMB protocol are disabled within the latest Windows 10 builds (SMB protocol is utilized in Windows to entry shared community folders and recordsdata).

Starting with Windows 10 1709 and Windows Server 2019 (each in Datacenter and Standard ), the unsafe by default SMBv1  due to CVE-2017-0144 (bear in mind the WannaCry ransomware assault, which was carried out by way of the SMBv1 vulnerability), in addition to nameless (visitor) entry to community shared folders.

The particular actions that you should take rely upon the error that seems in Windows 10 if you attempting to entry the shared folder, and on the settings of the distant SMB server that hosts the community shares.

Contents:

  • Can’t Access Shared Folder Because Security Policies Block Unauthenticated Guest Access
  • Windows 10 Error: Your system requires SMB2 or larger

Can’t Access Shared Folder Because Security Policies Block Unauthenticated Guest Access

Starting with the Windows 10 construct 1709 Fall Creators Update (Enterprise and Education editions), customers started to complain that when attempting to open a community shared folder on a close-by laptop, an error appeared:

Restoring Network Connections
An error happens if you attempt to open a community folder:
An error occurred whereas reconnecting Y: to nas1share

Microsoft Windows Network: You can’t entry this shared folder as a result of your group’s safety insurance policies block unauthenticated visitor entry. These insurance policies assist shield your PC from unsafe or malicious units on the community.

Moreover, on different computer systems with Windows eight.1, Win 7, or on Windows 10 with a construct of as much as 1709, the identical shared community folders open usually. The level is that in trendy variations of Windows 10 (beginning from 1709 construct), the visitor entry to the shared folders utilizing the SMBv2 protocol is disabled by default. Guest (nameless) means entry to a shared community folder with out authentication. When accessing a community folder beneath a visitor account over the SMBv1/v2 protocol, such strategies of site visitors safety as SMB signing and are usually not used, which makes your session susceptible to the MiTM (man-in-the-middle) assaults

In Windows 10 Home and Pro 1709, these modifications are usually not utilized and the community entry beneath the visitor account is working high quality.

If you attempt to entry a community shared folder utilizing the SMB v2 protocol beneath the visitor account, the next error seems within the SMB shopper log (Microsoft-Windows-SMBClient):

Source: Microsoft-Windows-SMBClient
Event ID: 31017
Rejected an insecure visitor logon.

In most instances you possibly can face this drawback when accessing previous NAS  units (normally visitor entry is enabled on them for ease of setup) or when opening community folders on Windows 7/2008 R2 / Windows XP/2003 with the nameless (visitor) entry configured (see the in numerous Windows editions).

In this case, Microsoft recommends to alter the settings on a distant laptop or NAS machine that host the community folders. It is advisable to change the community shares to the SMBv3 mode. Or configure entry with authentication if solely the SMBv2 protocol is supported by the machine. This is probably the most appropriate and most secure option to repair the issue.

Depending on the machine on which community folders are saved, you need to disable visitor entry on them:

  • NAS units – disable visitor entry within the settings of your NAS machine (relying on mannequin);
  • Samba server on Linux — if you’re share community folder utilizing Samba on Linux, add the next string to the smb.conf configuration file beneath the part [global]: map to visitor = by no means
    And prohibit nameless entry within the part with an outline of the shared folder: visitor okay = no
  • In Windows, you possibly can allow sharing of community folders and printers with password safety by way of the Control Panel -> Network and Sharing Center -> Advanced sharing settings. For All Networks within the “Password Protected Sharing” part, change the worth to the “Turn on password protected sharing”. In this case, nameless (visitor) entry to the community share folders can be disabled and you’ll have , grant then and use these accounts to connect with the shared folders on a distant laptop. windows 10 - enable password protected sharing (to disable guest access)

There is one other means – you possibly can change the settings in your Windows 10 laptop to permit entry to shared community folders beneath the visitor account. This technique ought to be used solely as a short lived workaround (!!!), as a result of entry to folders with out authentication considerably reduces the extent of safety of your laptop and knowledge.

To allow entry beneath the visitor account from your laptop, you should use the Group Policy Editor (gpedit.msc). Go to the part: Computer Configuration ->Administrative templates -> Network -> Lanman Workstation. Find and allow the coverage Enable insecure visitor logons. These coverage settings decide whether or not the SMB shopper will enable unsafe visitor logon to the SMB server.

Enable insecure guest logons policy

, you may make the same change by way of the registry editor with the command:

reg add HKLMSYSTEMCurrentControlSetProvidersLanmanWorkstationParameters /v AllowInsafeGuestAuth /t reg_dword /d 00000001 /f

Windows 10 Error: Your system requires SMB2 or larger

Another attainable drawback when accessing a community folder from Windows 10 is server-side help of solely the SMBv1 protocol. Since the SMBv1 shopper is disabled by default in Windows 10 1709 and newer, if you attempt to open the shared folder, you could get an error:

You can’t hook up with the file share as a result of it’s not safe. This share requires the out of date SMB1 protocol, which is unsafe and will expose your system to assault. Your system requires SMB2 or larger.

Windows 10 error: This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack. Your system requires SMB2 or higher

The error message clearly exhibits that the community shared folder solely helps entry over the SMBv1 protocol. In this case, it’s best to attempt to reconfigure the distant SMB machine to make use of at the least SMBv2 (the proper and secure means).

If you employ Samba server on Linux to share community folders, you possibly can specify the minimal supported model of SMB protocol within the smb.conf file like this:

[global]
server min protocol = SMB2_10
shopper max protocol = SMB3
shopper min protocol = SMB2_10
encrypt passwords = true
prohibit nameless = 2

On Windows 7/Windows Server 2008 R2, you possibly can disable the SMB 1 protocol and allow SMBv2 with the next PowerShell instructions:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetProvidersLanmanServerParameters" SMB1 -Type DWORD -Value zero –Force
-Path "HKLM:SYSTEMCurrentControlSetProvidersLanmanServerParameters" SMB2 -Type DWORD -Value 1 –Force

On Windows eight.1/Windows Server 2012 R2, you possibly can disable SMBv1, allow SMBv2 and SMBv3, with the next command (confirm is used on your community connection):

Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol"
Set-SmbServerConfiguration –EnableSMB2Protocol $true

If your community machine (NAS, Windows XP, Windows Server 2003) helps solely the SMB1 protocol, you possibly can allow on Windows 10 a separate SMB1Protocol-Client function. But this isn’t advisable!!!

Run the PowerShell immediate and confirm that the SMB1Protocol-Client is disabled (State: Disabled):

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client

Enable the SMBv1 shopper protocol (a reboot is required):

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client

Get-WindowsOptionalFeature - get SMB1Protocol-Client state

You also can allow/disable further options of Windows 10 (together with SMBv1 elements) from the dialog optionalfeatures.exe -> SMB 1.zero/CIFS File Sharing Support.

enabling SMB 1.0/CIFS File Sharing Support feature on Windows 10

On Windows 10 1809 and newer, the SMBv1 shopper is mechanically deleted if it has not been used for greater than 15 days (the SMB 1.zero/CIFS Automatic Removal function is liable for this).

In this instance, I enabled solely the SMBv1 shopper. Do not allow the SMB1Protocol-Server function in case your laptop will not be utilized by legacy purchasers as a shared folder SMB server.

After putting in the SMBv1 shopper, it’s best to be capable of hook up with a shared folder or printer with none issues. However, it’s best to perceive that utilizing this workaround will not be advisable, as a result of this reduces the extent of safety on your system.

Check Also

Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

Due to disabling PPTP VPN help in iOS, one in all my shoppers determined to …

Leave a Reply

Your email address will not be published. Required fields are marked *