What's new

Microsoft to block access to routers with USB storage in Windows 11 24H2

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TheLostSwede

Very Senior Member
It looks like Microsoft is about to get tough on network security in Windows 11 and beyond killing off support for SMB1, the company also wants to block access to routers with USB storage, unless they support cryptographic signing. The same seems to apply to NAS devices too and according to Tom's Hardware, Microsoft wants feedback on the issue.

Pyle explains that Microsoft would like to know if users have routers with USB ports and NAS units that do not support SMB signing. He says, "If you have a third-party NAS device that doesn't support SMB signing, we want to hear about it. Please email wontsignsmb@microsoft.com with the make and model of your NAS device so we can share it with the world and perhaps get the vendor to fix it with an update."

 
Apple didn't start with Linux. They use parts of FreeBSD
 
"Pyle says that this change in Windows 11 24H2 will secure over a billion devices as it will force NAS and router makers to update unpatched devices."

That just won't happen and they know it. NAS and router makers will use this to get more new sales and it helps push win11.


What everyone will end up doing:

"6. Disable the SMB client signing requirement:"
 
It looks like Microsoft is about to get tough on network security in Windows 11 and beyond killing off support for SMB1, the company also wants to block access to routers with USB storage, unless they support cryptographic signing. The same seems to apply to NAS devices too and according to Tom's Hardware, Microsoft wants feedback on the issue.

I think this is fine - SMB1 along with AFP (Netatalk) have been deprecated for some time now...
 
Riiiiiiiight

When they convert their core to Linux and overlay the GUI that might happen. Apple started with Linux and then made it pretty and thus easy enough for anyone to use with less 'patches' needed.

There's no linux inside MacOS - as @microchip mentions, there's some freebsd userland stuff - mostly for posix compliance, and as a result, MacOS is a true unix variant, oddly enough...

Apple used to do Samba, but moved over to their own implementation after Samba changed their licensing model...
 
I think this is fine - SMB1 along with AFP (Netatalk) have been deprecated for some time now...
I thought they'd dropped SMB1 support a long time ago to be honest.
It's more about the SMB signing that's going to be an issue for a lot of people.
 
I thought they'd dropped SMB1 support a long time ago to be honest.
It's more about the SMB signing that's going to be an issue for a lot of people.
  • Windows 10 Enterprise, Windows 10 Education, and Windows 10 Pro for Workstations no longer contain the SMBv1 client or server by default after a clean installation.
  • Windows Server 2019 and later no longer contains the SMBv1 client or server by default after a clean installation.
  • Windows 10 Home and Windows 10 Pro no longer contain the SMBv1 server by default after a clean installation.
  • Windows 11 doesn't contain the SMBv1 server or client by default after a clean installation.
  • Windows 10 Home and Windows 10 Pro still contain the SMBv1 client by default after a clean installation. If the SMBv1 client isn't used for 15 days in total (excluding the computer being turned off), it automatically uninstalls itself.
 
It's more about the SMB signing that's going to be an issue for a lot of people.

Synology and QNAP have this handled already for their NAS OS'es...

Screenshot 2024-06-01 at 5.15.11 PM.png
Screenshot 2024-06-01 at 5.13.17 PM.png


Synology SRM 1.3 does support SMB2, but not encryption or signing...
 
The main obstacle isn't the willingless to support signing, it's to be able to implement an SMB server that supports it. Samba 3.x doesn't, and migrating to 4.x is not always possible since it takes a ridiculous amount of space - many routers only have like 32 or 64 MB of flash space for their firmware. Samba 4.x is a huge bloatted piece of code. Even 3.x required some hacking to make it fit in a router firmware.

Asus took a different route with their latest firmware updates for their ExpertWifi products, where they switched to Tuxera's proprietary Fusion File Share, which is a kernel mode implementation that also supports up to SMB 3.1. No official word yet as to what their plans are regarding other models. Also at this time, they configure it to reject signing requests, probably for performance reasons. Time will tell if they will eventually enable signing with a future update, assuming there isn't a technical limitation involved.

ksmb might be another potential alternative for some, but it requires a fairly recent kernel, which will rule out the large majority of current routers which run on kernels older than 5.x.
 
these settings are already enabled by default in the upcoming 24h2 builds coming out in the fall. You can just turn them off with group policy or powershell

As a heads up if youre running samba 4, smb signing totally murders transfer speed from 50mb to 5mb on my ax3000 and it was driving me crazy until i figured out what was causing it
 
Microsoft should stop worrying about locking down internal LAN communication, and start focussing on debugging and debloating their stuff instead. The vast majority of LAN traffic is unencrypted - why is SMB traffic suddenly so critical that it has to be signed? My home isn't a Fortune 500 network for starter.
 
Similar threads
Thread starter Title Forum Replies Date
I Router access Routers 5

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top