18.6.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'

Information

This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.

The recommended state for this setting is: Disabled

Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).

Impact:

The SMB client will reject insecure guest logons. This was not originally the default behavior in older versions of Windows, but Microsoft changed the default behavior starting with Windows Server 2016 R1709:

Guest access in SMB2 disabled by default in Windows 10 and Windows Server 2016

See Also

https://workbench.cisecurity.org/benchmarks/17689

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Windows

Control ID: 839d2c027ed3561bae8ba46531bcfe44eeaa8047cd1fdfc9553f576c481992a9