Symptom
When a workstation connects to a share folder which is provided by network attached storage (NAS), the workstation is pop-up the error message.
\\<Server Name> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
The account is not authorized to log in from this station.
Cause
The workstation was enabled "Microsoft network client: Digitally sign communications (always)" setting on Local Computer Policy or Domain Policy which is located at "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options". However, the network attached storage doesn't support or enable this function.
Resolution
By default, "Microsoft network client: Digitally sign communications (always)" is disabled on standalone workstations, domain workstations and domain member servers. If this setting is enabled, SMB client requires SMB servers to use SMB Message Signing. If network attached storage don't support or enable SMB Message Signing, Windows which are enables the setting reject this SMB connection. Some companies follow a Windows security hardening guide to enable this option by Group Policy.
1. Enabling SMB Message Signing on network attached storage
If network attached storage support SMB Message Signing, enable this setting on network attached storage.
2. Change "Microsoft network client: Digitally sign communications (always)" setting to Disabled
If this setting isn't broken your Windows security hardening of your company, disable it as the following path.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Digitally sign communications (always) - Disabled
After updating the setting, administrators have to reboot the server.
More information
The Basics of SMB Signing (covering both SMB1 and SMB2)
How to Shoot Yourself in the Foot with Security, Part 1
When a workstation connects to a share folder which is provided by network attached storage (NAS), the workstation is pop-up the error message.
\\<Server Name> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
The account is not authorized to log in from this station.
The workstation was enabled "Microsoft network client: Digitally sign communications (always)" setting on Local Computer Policy or Domain Policy which is located at "Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options". However, the network attached storage doesn't support or enable this function.
By default, "Microsoft network client: Digitally sign communications (always)" is disabled on standalone workstations, domain workstations and domain member servers. If this setting is enabled, SMB client requires SMB servers to use SMB Message Signing. If network attached storage don't support or enable SMB Message Signing, Windows which are enables the setting reject this SMB connection. Some companies follow a Windows security hardening guide to enable this option by Group Policy.
1. Enabling SMB Message Signing on network attached storage
If network attached storage support SMB Message Signing, enable this setting on network attached storage.
2. Change "Microsoft network client: Digitally sign communications (always)" setting to Disabled
If this setting isn't broken your Windows security hardening of your company, disable it as the following path.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network client: Digitally sign communications (always) - Disabled
More information
The Basics of SMB Signing (covering both SMB1 and SMB2)
How to Shoot Yourself in the Foot with Security, Part 1
This posting is provided “AS IS” with no warranties, and confers no rights!
No comments:
Post a Comment