July 21, 2021

Security question

Just want some confirmation that I am not going crazy.

I work for an MSP and one of our clients has engaged a 3rd party to deploy an application. Turns out its a java app that is run from an SMB share over a IPSEC Tunnel. However another component for file transfer is utilising another SMB Share over the internet (no VPN). Connections to this SMB host are whitelisted.

Here’s the real kicker. To access the shares we need to enable guest access in SMB2 to connect without creds.

I haven’t had much to do with this project but I came across it due to having to handle a server upgrade from 2008 r2 -> server 2019. Server 2019 disables this guest access by default and subsequently blocked access. I then found a GPO enabling guest access for all workstations. I have contacted the client and the 3rd party involved about the issue but yet to see responses from anyone who cares.

Wondering if I am overreacting here.. Here is the warning from MS in their doco:

**Important**

Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access.

Even with the whitelisting its leaving our client quite vulnerable right?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.