18.5.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled'

Information

This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.

The recommended state for this setting is: Disabled.

Rationale:

Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.

Impact:

The SMB client will reject insecure guest logons. This was not originally the default behavior in older versions of Windows, but Microsoft changed the default behavior starting with Windows Server 2016 R1709: Guest access in SMB2 disabled by default in Windows 10 and Windows Server 2016

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).

Default Value:

Server 2016 RTM (R1607) and older: Enabled. (The SMB client will allow insecure guest logons.)

Server 2016 R1709, Server 2019 and newer: Disabled. (The SMB client will reject insecure guest logons.)

See Also

https://workbench.cisecurity.org/files/4286

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Windows

Control ID: 258ad92301d9a10112952780d2139744f4ed6bf256d6e5fe68c3b57f9b466a23