Windows 10 My W10 PC is sending anonymous / unauthenticated SMB networks requests

  • Thread starter Thread starter olivercervera
  • Start date Start date
O

olivercervera

Hello,

I have reinstalled Windows 10 Pro 2004 on my desktop last week and discovered an issue: it is sending unauthenticated / anonymous SMB requests to my server.

My linux Linux server exposes shares over Samba which is obviously configured to accept only authentication and deny access to guest users. According to this article, Windows 10 should not send unauthenticated (GUEST) requests.

My workflow is the following: I open File Explorer, my server appears in "Network", If I open it I am asked to authenticate and I save credentials, I authN successfully and I can browse folders. I mount the folders I want as network drives.

Everything seems to work fine, but after few seconds I am browsing folders my server is flooded by errors and Windows Event Viewer logs errors under SMB-Client.

Here's Windows logs. As you might see there are thousands of errors just made in a week.
Sorry, my OS is set to Italian, the error says:


Error: {Access Denied}

A process has requested access to an object, but has not been granted those access rights.



Path: \nas\data


Error code: 31010





I want to highlight:
- These errors are made while I can browse and use SMB without issues

- These errors are not logged when using another PC or VM, I have tested with both.

- There's no difference if I mount or not the folder as a share


Server (SMB) side here's what I get with verbose logging.


Mapping user []\[] from workstation

attempting to make a user_info for ()
made a user_info for ()
check_ntlm_password: Checking password for unmapped user []\[]@[PC-OLIVER] with the new password interface
check_ntlm_password: mapped user is: []\[]@[PC-OLIVER]
auth_check_ntlm_password: anonymous authentication for user [] succeeded
Auth: [SMB2,(null)] user []\[] at [Thu, 10 Sep 2020 19:47:59.018110 CEST] with [(null)] status [NT_STATUS_OK] workstation [PC-OLIVER] remote host [ipv4:192.168.0.100:49239] became [NAS]\[nobody] [S-1-5-21-1308971618-3954224730-4125826118-501]. local host [ipv4:192.168.0.101:445]
check_ntlm_password: guest authentication for user [] -> [] -> [nobody] succeeded

Successful AuthZ: [SMB2,NTLMSSP] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Thu, 10 Sep 2020 19:47:59.018445 CEST] Remote host [ipv4:192.168.0.100:49239] local host [ipv4:192.168.0.101:445]



At the same time these logs record the correct authN with the right user I saved in Credentials Manager.

NON verbose logs say:

create_connection_session_info: guest user (from session setup) not permitted to access this share (data)

create_connection_session_info failed: NT_STATUS_ACCESS_DENIED



I also turned on Wireshark and confirmed that my PC is indeed sending empty AuthN requests:


I tried to edit settings that are already enabled by default and should not allow anonymous requests over the network.
secpol.msc > local policies > security options:
- Network access: do not allow anonymous enumeration of SAM accounts: ENABLED
- Network access: do not allow anonymous enumeration of SAM accounts and shares: ENABLED


I also tried deleting credentials from Crential Manager, removing all shares with the command

net use */Delete

and then using something like

net use z: \\servername\path /USER:username


I've exhausted troubleshooting steps hence I am seeking for your expertise!

Continue reading...
 
Back
Top