WinSecWiki > Security Settings > Local Policies > Security Options > Microsoft Network Client > Send unencrypted password to third-party SMB servers

Microsoft network client: Send unencrypted password to third-party SMB servers

Normally Windows protects passwords during authentication by using a challenge/response protocol based on a hash of the password rather than sending the password itself over the network.

Windows uses SMB or CIFS primarily for file sharing and printer sharing as well a lot of other domain and Windows networking traffic. SMB (port 139) is the older more proprietary file sharing protocol, while CIFS (port 443) is an internet standard. 

Some non Windows file server implementations of SMB don’t support this password protection and only work if the Windows client is willing to send the user’s password over the network in clear text. Normally Windows refuses to do this but this setting, if enabled, allows the Windows computer to connect to SMB servers using clear text password authentication. 

Bottom line

Don’t enable this setting except for specific systems that must be able to access SMB servers incapable normal password protection in modern SMB. Make sure you understand the risk – namely that other nodes on the network may be able to “sniff” the SMB traffic and thereby discover the password.

Back to top

 

Additional Resources