Powershell, NAS access & Permissions? issues
I have recently run into the "Guest access in SMB2 & SMB3" issue outlined by Microsoft here, and I am trying to understand the full scope of the issue. So far as I can tell, this only impacts NAS access or the like, because a share on a domain member computer is not accessed as a guest. However, I have an account on my NAS, with matching name and password, and permissions are handled properly. Meaning, on a Windows build that doesn't have the outlined problem, I CAN access folders that user has permissions for, and I can't access folders that user doesn't have permission for. Which seems like I am NOT accessing the NAS as a guest, but rather with user credentials. So, can someone explain what is actually happening under the hood?
Also, I was alerted to the issue because a customer was seeing this behavior, and the "fix" outlined by Microsoft is not working for them. Their scenario is slightly different in that they are using Azure in a way that I am not familiar with, basically syncing Group Policy, or at least permissions, with Azure. But Microsoft's information linked above makes no mention of Azure at all, so not sure what the Azure based version of Group Policy is capable of.
And finally, on my Windows 10 Enterprise VM, accessing a Synology NAS, I lose not only PowerShell access to the NAS, but Explorer as well. I get the error mentioned in the link.
You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
But for this customer, the issue is not showing up in Explorer, only (so far as we have seen) in PowerShell. And in PowerShell it manifests as Test-Path failing on a valid path, that we can access in Explorer. Does that suggest some other problem, and my Google-Fu has led me astray?
• The document that you are referring to is basically an official documentation for the support of SMB 2 and SMB 3 in various versions of Windows. Kindly refer to the below table for summary of the whole document: -
• The document implies that starting from adoption of support for SMB 2 and 3, the guest account authentication by default for access to the remote network shares is not possible/is denied and in some cases, will be given access as a guest user (with least possible privileges to the files of that network share) when the actual user credentials entered when asked are not verified. The document also states that SMB 1 is not supported in the versions of Windows stated above in the table. In the above table too, certain versions of Windows 10 require an update is for the stated behavior of guest account earlier while certain versions of Windows 10 where update is not required, the administrator has the authority to allow guest user access to remote network shares.
• Also, guest user logons are disabled by default in various versions of Windows as they do not support standard security features such as signing and encryption thus making them vulnerable to the man-in-middle attacks. Thus, if you want to enable insecure guest logon centrally on all the systems in your network or a subset of systems in your network, then you can do so by enabling the same through a group policy as described below in the link: -
The above setting to enable insecure guest logon is described for on-premises environment while the same setting in group policy can be enabled or set in Azure also through Azure AD Domain Services group policy options. For that purpose, you will need a domain managed by Azure AD Domain Services and a Windows Server VM joined to it acting as the DC of the domain environment. For more details on setting up the Group Policy Management server in Windows Server VM, kindly refer to the link below for more details and then do the same setting as said in the link above. Once you enable the insecure guest logon for your Azure AD managed domain, you will not encounter the same issue again and you would then be able to use powershell with guest access.
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Azure File Share: Cannot map network drive
- Using script commands, how to add multiple scale rules to an Azure Container App?
- Powershell ADSI: Can I query the local Administrators group using a SID?
- PowerShell script to take backup of all environment variables & save it in a file
- Having trouble making UserPrincipalName all lowercase in Powershell
- Is there a way in PowerShell to get the default value of a script parameter?
- What does this command prompt input do?
- Powershell unable to find type [System.Windows.Forms.KeyEventHandler]
- tsc.ps1 cannot be loaded because running scripts is disabled on this system
- Unexpected return value when using function in an if statement
- Powershell howto Filter XML Nodes
- How to untar multiple files with an extension .tar.gz.aa, .tar.gz.ab..... in windows?
- Searching for backslash in a string with Powershell
- How do I start PowerShell from Windows Explorer?
- Can I use PowerShell in shell-mode for Emacs?
- Powershell .contains() check without casesensitive
- Prevent Pull Request builds from triggering Continuous deployment trigger Azure DevOps Server
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- Why do I get this error when I try to set my powershell terminal title in my ps1 script?
- Powershell script file that contains function doesnt load
- How to Compare Sets of Users
- Powershell function returns stdout? (Old title: Powershell append to array of arrays appends stdout?)
- Can a type be added that references an in-memory assembly?
- Converting .bmp to .png using powershell causes memory leak
- Display all environment variables from a running PowerShell script
- How to set PIPENV_IGNORE_VIRTUALENVS=1?
- Where is the "downloads" folder located
- How can I make a powershell script work in an Azure function with PowerShell 5 and module AzureADPreview?
- Test-Path doesn't found localised folder names